Sops in ci, CI redaction.... #434

New Issue

Closed

opened 2026-06-05 04:45:23 +00:00 by guettli · 2 comments

guettli commented 2026-06-05 04:45:23 +00:00 (Migrated from codeberg.org)

Copy Link

Copy Source

CI does not know that these strings are secrets. Redaction does not work.

CI does not know that these strings are secrets. Redaction does not work.

guettlibot commented 2026-06-05 19:25:03 +00:00 (Migrated from codeberg.org)

Copy Link

Copy Source

I now have everything I need. Here is the implementation plan:

---

Implementation Plan: Fix CI secret redaction in setup_dagger_remote.sh

Problem

scripts/setup_dagger_remote.sh decrypts secrets.enc.yaml via SOPS and writes the resulting values into $GITHUB_ENV so subsequent workflow steps can use them. However, the Forgejo/GitHub Actions runner only redacts values it has been explicitly told to treat as secrets — either via ${{ secrets.* }} substitutions, or via the ::add-mask:: workflow command. Because the script never issues ::add-mask:: commands, any step that echoes or logs one of the exported values (e.g., a dagger call progress line, a stray set -x, or a debug printout) will expose the secret in plain text in the CI log.

Root cause

The export_secret() function in scripts/setup_dagger_remote.sh writes values to $GITHUB_ENV but never emits ::add-mask::. The runner therefore has no record of which strings to redact.

Fix — one file: scripts/setup_dagger_remote.sh

1. Add per-line masking inside export_secret()

Immediately after the value=$(jq -r ...) line, emit one ::add-mask:: per non-empty line of the value. Multiline secrets such as SSH private keys must be masked line-by-line because the ::add-mask:: command only covers what is on that one output line.

export_secret() {
    local name="$1"
    local value
    value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON")
    # Register each non-empty line for log redaction in the Actions runner.
    if [ -n "$value" ] && [ -n "${GITHUB_ENV:-}" ]; then
        while IFS= read -r line; do
            [ -n "$line" ] && printf '::add-mask::%s\n' "$line"
        done <<< "$value"
    fi
    if [ -n "${GITHUB_ENV:-}" ]; then
        {
            printf '%s<<__EOF__\n' "$name"
            printf '%s' "$value"
            [ "${value%$'\n'}" = "$value" ] && printf '\n'
            printf '__EOF__\n'
        } >> "$GITHUB_ENV"
    fi
    printf '[secrets] exported %s (%d chars)\n' "$name" "${#value}"
}

2. Mask the two inline variables DAGGER_SSH_KEY and DAGGER_ENGINE_HOST

These are extracted from the JSON but never passed through export_secret(). Add masking directly after they are assigned:

DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")

# Mask inline secrets so the runner redacts them from logs.
printf '::add-mask::%s\n' "$DAGGER_ENGINE_HOST"
while IFS= read -r line; do
    [ -n "$line" ] && printf '::add-mask::%s\n' "$line"
done <<< "$DAGGER_SSH_KEY"

What does NOT change

• No Dart/Flutter code, no Drift schema, no pubspec.yaml.
• No new files, no Taskfile changes, no CI workflow YAML changes.
• The existing [secrets] exported NAME (N chars) log line is safe and stays.
• The ::add-mask:: output is consumed by the runner and does not appear in the visible log.

Testing guidance

After the change, a CI run that encounters any logged value (e.g., from set -x in a sub-script, or a Dagger progress line that echoes an env-var) should show *** instead of the raw secret. Verify by triggering the deploy.yml workflow manually (workflow_dispatch) and checking that none of the exported secret values appear in plain text in the log output for the steps that follow "Setup Dagger Remote Engine".

I now have everything I need. Here is the implementation plan: --- ## Implementation Plan: Fix CI secret redaction in `setup_dagger_remote.sh` ### Problem `scripts/setup_dagger_remote.sh` decrypts `secrets.enc.yaml` via SOPS and writes the resulting values into `$GITHUB_ENV` so subsequent workflow steps can use them. However, the Forgejo/GitHub Actions runner only redacts values it has been explicitly told to treat as secrets — either via `${{ secrets.* }}` substitutions, or via the `::add-mask::` workflow command. Because the script never issues `::add-mask::` commands, any step that echoes or logs one of the exported values (e.g., a `dagger call` progress line, a stray `set -x`, or a debug printout) will expose the secret in plain text in the CI log. ### Root cause The `export_secret()` function in `scripts/setup_dagger_remote.sh` writes values to `$GITHUB_ENV` but never emits `::add-mask::`. The runner therefore has no record of which strings to redact. ### Fix — one file: `scripts/setup_dagger_remote.sh` **1. Add per-line masking inside `export_secret()`** Immediately after the `value=$(jq -r ...)` line, emit one `::add-mask::` per non-empty line of the value. Multiline secrets such as SSH private keys must be masked line-by-line because the `::add-mask::` command only covers what is on that one output line. ```bash export_secret() { local name="$1" local value value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON") # Register each non-empty line for log redaction in the Actions runner. if [ -n "$value" ] && [ -n "${GITHUB_ENV:-}" ]; then while IFS= read -r line; do [ -n "$line" ] && printf '::add-mask::%s\n' "$line" done <<< "$value" fi if [ -n "${GITHUB_ENV:-}" ]; then { printf '%s<<__EOF__\n' "$name" printf '%s' "$value" [ "${value%$'\n'}" = "$value" ] && printf '\n' printf '__EOF__\n' } >> "$GITHUB_ENV" fi printf '[secrets] exported %s (%d chars)\n' "$name" "${#value}" } ``` **2. Mask the two inline variables `DAGGER_SSH_KEY` and `DAGGER_ENGINE_HOST`** These are extracted from the JSON but never passed through `export_secret()`. Add masking directly after they are assigned: ```bash DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON") DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON") # Mask inline secrets so the runner redacts them from logs. printf '::add-mask::%s\n' "$DAGGER_ENGINE_HOST" while IFS= read -r line; do [ -n "$line" ] && printf '::add-mask::%s\n' "$line" done <<< "$DAGGER_SSH_KEY" ``` ### What does NOT change - No Dart/Flutter code, no Drift schema, no `pubspec.yaml`. - No new files, no Taskfile changes, no CI workflow YAML changes. - The existing `[secrets] exported NAME (N chars)` log line is safe and stays. - The `::add-mask::` output is consumed by the runner and does not appear in the visible log. ### Testing guidance After the change, a CI run that encounters any logged value (e.g., from `set -x` in a sub-script, or a Dagger progress line that echoes an env-var) should show `***` instead of the raw secret. Verify by triggering the `deploy.yml` workflow manually (`workflow_dispatch`) and checking that none of the exported secret values appear in plain text in the log output for the steps that follow "Setup Dagger Remote Engine".

guettlibot commented 2026-06-05 21:45:03 +00:00 (Migrated from codeberg.org)

Copy Link

Copy Source

Summary

Fixed CI secret redaction in scripts/setup_dagger_remote.sh by adding ::add-mask:: workflow commands.

Root cause: The Forgejo/GitHub Actions runner only redacts values it's been explicitly told about. Secrets decrypted from secrets.enc.yaml and written to $GITHUB_ENV were never registered for masking, so they could appear in plain text in CI log output.

Fix: Added ::add-mask:: calls in two places:

1. Inside export_secret() — each non-empty line of every exported secret is registered before being written to $GITHUB_ENV. Multiline values (SSH keys, JSON service account files) are masked line-by-line since ::add-mask:: covers one line at a time.
2. For the inline variables DAGGER_ENGINE_HOST and DAGGER_SSH_KEY — these were extracted directly from the JSON and used without going through export_secret(), so they needed their own masking calls.

Pull request: https://codeberg.org/guettli/sharedinbox/pulls/460

## Summary Fixed CI secret redaction in `scripts/setup_dagger_remote.sh` by adding `::add-mask::` workflow commands. **Root cause:** The Forgejo/GitHub Actions runner only redacts values it's been explicitly told about. Secrets decrypted from `secrets.enc.yaml` and written to `$GITHUB_ENV` were never registered for masking, so they could appear in plain text in CI log output. **Fix:** Added `::add-mask::` calls in two places: 1. **Inside `export_secret()`** — each non-empty line of every exported secret is registered before being written to `$GITHUB_ENV`. Multiline values (SSH keys, JSON service account files) are masked line-by-line since `::add-mask::` covers one line at a time. 2. **For the inline variables** `DAGGER_ENGINE_HOST` and `DAGGER_SSH_KEY` — these were extracted directly from the JSON and used without going through `export_secret()`, so they needed their own masking calls. Pull request: https://codeberg.org/guettli/sharedinbox/pulls/460

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

issue-563-agentloop-validation

dummy-pr-test

issue-560-fix-firebase-run-url

issue-539-stable-imap-uid

issue-533-shared-email-list

plan-issue-555

drop-nix

plan-issue-484

plan-issue-539

plan-issue-535

plan-issue-474

plan-issue-533

fix-dagger-engineless-precommit

issue-521-fix-deploy-yml-wait-time-api

issue-502-fix-email-id-collision-mailbox

issue-492-eliminate-duplicate-build-runner

issue-494-website-change-detection

issue-491-parallelize-check

issue-478-fix-stalwart-dual-stack-bind

issue-475-allowed-addresses-glob

issue-473-search-result-reorder

issue-453-update-agentloop-defaults

issue-466-structured-search

issue-505-exclude-chaos-monkey-from-regular-ci

issue-509-fix-search-result-sorting

fix-ink-sparkle-remaining-tests

issue-506-fix-search-emails-tests

issue-504-runner-wait-time

issue-488-search-notes

issue-472-changelog-issue-links

issue-501-folder-search-local-sqlite

issue-486-fix-stale-test-shader-mismatch

fix/prevent-settled-search-rerun-473

issue-467-fix-search-stale-results

issue-446-installed-versions-in-changelog

issue-462-fix-pr

issue-448-chaos-monkey-test

issue-436-notes-on-emails

issue-429-unify-mail-display

issue-422-move-to-folder-create-new

issue-414-ensure-not-run-as-root

issue-424-unify-email-list-views

issue-419-trusted-senders-page

issue-425-fix-prs

test-foo

issue-421-bug-report

issue-383-fix-ci

issue-394-fix-deploy-flutter-version

issue-391-fix-ci-double-trigger

issue-376-combined-inbox-v2

issue-376-combined-inbox

issue-384-fix-open-prs

sops-migrate

issue-339-safe-first-on-imap-fetch

issue-340-try-catch-measure-height

issue-342-pin-intl-version

issue-341-guard-threademails-last

issue-335-agentloop-code-test

issue-329-fix

issue-315-fix

issue-320-fix

issue-325-fix

issue-312-fix

issue-311-fix

issue-305-fix

issue-304-fix

issue-299-fix

issue-300-fix

issue-298-fix

issue-296-fix

issue-294-fix

issue-289-fix

issue-288-fix

issue-287-fix

issue-286-fix

issue-277-fix

issue-282-fix

issue-280-fix

issue-272-fix

issue-268-fix

issue-267-fix

issue-266-fix

issue-258-fix

issue-260-fix

issue-257-fix

issue-253-fix

issue-216-fix

issue-251-fix

issue-249-fix

issue-question-fixes

issue-235-fix

issue-236-fix-v2

issue-237-fix

issue-236-fix

issue-228-fix

issue-217-fix

issue-214-fix

issue-213-fix

issue-208-fix

issue-205-fix

issue-204-fix

issue-203-fix

issue-202-fix

issue-129-fix

issue-161-fix

issue-160-fix

issue-201-fix

issue-210-fix

issue-198-fix

issue-200-fix

issue-144-fix

issue-199-fix

fix/playstore-upload-use-requests

issue-193-fix

issue-186-fix

issue-185-fix

issue-192-fix

issue-183-fix

issue-175-fix

issue-172-fix

issue-171-fix

issue-167-fix

issue-136-fix

issue-162-fix

issue-179-fix

issue-155-fix

issue-154-fix

issue-152-fix

issue-151-fix

issue-141-fix

issue-150-fix

issue-164-fix

migrate-to-dagger

task/d1-ci-matrix

task/a4-typeconverter-json

task/u7-onboarding-walkthrough

task/d3-sync-doc

task/a5-layer-boundary-lint

task/t5-golden-tests

task/p5-date-cache

task/s4-link-handling

task/p3-html-parse-isolate

task/u8-mark-all-read

task/u3-recent-searches

task/a3-jmap-injectable-http-client

task/r5-tls-error-handling

fix/playstore-redirect-retry

task/t3-repository-contract-tests

task/p2-email-list-pagination

task/p1-fts5-search

fix/playstore-upload-timeout

task/a1-email-detail-notifier

fix/upgrade-workmanager-0.9

fix/android-core-library-desugaring

task/p4-db-indexes

task/r3-html-error-boundary

task/d2-check-coverage

task/a2-email-tile

task/t4-migration-tests

task/t2-widget-tests

task/t1-email-repo-coverage

task/u6-connection-status

task/u4-push-notifications

task/u2-draft-sync

task/u1-list-unsubscribe

task/s2-hostname-validation

task/r6-reliability-fuzz-tests

task/r4-sync-error-banner

task/r2-force-resync

task/r1-undo-history-persistence

No results found.

Labels

Clear labels

NeedSupervisor

Issue escalated to a human supervisor; agentloop will skip it until cleared.

State/InProgress

State/Later

State/Planned

automerge

Eligible for automatic merge by CI

ci-failure

Issue opened by agentloop to track a failing CI workflow; used for deduplication.

do-not-merge

Plan PR — review only, do not merge.

loop/code

Add to run the built-in "code" prompt; override at prompts/code.md.

loop/code-ci-pending

Prompt "code" finished; waiting for the PR's CI to pass before advancing.

loop/code-done

Prompt "code" finished successfully.

loop/code-in-process

Agent for the "code" prompt is currently running on this issue.

loop/merge

Managed by agentloop

loop/merge-done

Managed by agentloop

loop/merge-in-process

Managed by agentloop

loop/plan

Add to run the built-in "plan" prompt; override at prompts/plan.md.

loop/plan-done

Prompt "plan" finished successfully.

loop/plan-in-process

Agent for the "plan" prompt is currently running on this issue.

No labels loop/code-done

Milestone

No items

No Milestone

Projects

Clear projects

No projects

Assignees

Clear assignees

guettlibot guettli

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: guettli/sharedinbox#434