From f88d14f362f402be4608e90d67088efe09e9ebe4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bot=20of=20Thomas=20G=C3=BCttler?=
 <guettlibot@noreply.codeberg.org>
Date: Sat, 6 Jun 2026 05:38:47 +0200
Subject: [PATCH] fix: register SOPS-decrypted secrets for CI log redaction
 (#460)

## Summary

- The Forgejo/GitHub Actions runner only redacts values it has been explicitly told about. Secrets exported via `$GITHUB_ENV` in `setup_dagger_remote.sh` were never registered, so they could appear in plain text in CI log output.
- Added `::add-mask::` calls for every secret exported by `export_secret()`, and for the two inline variables `DAGGER_SSH_KEY` and `DAGGER_ENGINE_HOST` that bypass that function.
- Multiline values (e.g. SSH private keys, JSON key files) are masked line-by-line, since `::add-mask::` covers a single line at a time.

## Test plan

- [ ] Trigger a `workflow_dispatch` run of `deploy.yml` and confirm no secret values appear in plain text in the "Setup Dagger Remote Engine" step or any subsequent steps.
- [ ] Confirm the existing `[secrets] exported NAME (N chars)` log lines still appear (they log only the name and length, not the value).

Closes #434

Co-authored-by: Thomas SharedInbox <sharedinbox@thomas-guettler.de>
Reviewed-on: https://codeberg.org/guettli/sharedinbox/pulls/460
---
 scripts/setup_dagger_remote.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/scripts/setup_dagger_remote.sh b/scripts/setup_dagger_remote.sh
index 02259f8..0f01768 100755
--- a/scripts/setup_dagger_remote.sh
+++ b/scripts/setup_dagger_remote.sh
@@ -17,12 +17,25 @@ sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"
 DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
 DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")
 
+# Register inline secrets for log redaction. Multiline values (e.g. SSH keys)
+# must be masked line-by-line because ::add-mask:: covers one line at a time.
+printf '::add-mask::%s\n' "$DAGGER_ENGINE_HOST"
+while IFS= read -r line; do
+    [ -n "$line" ] && printf '::add-mask::%s\n' "$line"
+done <<< "$DAGGER_SSH_KEY"
+
 # Export all CI secrets to the GitHub Actions environment so subsequent steps
 # can use them without referencing Forgejo secrets directly.
 export_secret() {
     local name="$1"
     local value
     value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON")
+    # Register each non-empty line for log redaction in the Actions runner.
+    if [ -n "$value" ] && [ -n "${GITHUB_ENV:-}" ]; then
+        while IFS= read -r line; do
+            [ -n "$line" ] && printf '::add-mask::%s\n' "$line"
+        done <<< "$value"
+    fi
     if [ -n "${GITHUB_ENV:-}" ]; then
         # Use heredoc syntax for multiline-safe export.
         # Avoid adding a second trailing newline for values that already end with one