fix: register SOPS-decrypted secrets for CI log redaction #460

Merged

guettlibot merged 1 commits from refs/pull/460/head into main 2026-06-06 03:38:48 +00:00

Conversation 0 Commits 1 Files Changed 1

+566 -4810

guettlibot commented 2026-06-05 21:40:57 +00:00 (Migrated from codeberg.org)

Copy Link

Copy Source

Summary

• The Forgejo/GitHub Actions runner only redacts values it has been explicitly told about. Secrets exported via $GITHUB_ENV in setup_dagger_remote.sh were never registered, so they could appear in plain text in CI log output.
• Added ::add-mask:: calls for every secret exported by export_secret(), and for the two inline variables DAGGER_SSH_KEY and DAGGER_ENGINE_HOST that bypass that function.
• Multiline values (e.g. SSH private keys, JSON key files) are masked line-by-line, since ::add-mask:: covers a single line at a time.

Test plan

• Trigger a workflow_dispatch run of deploy.yml and confirm no secret values appear in plain text in the "Setup Dagger Remote Engine" step or any subsequent steps.
• Confirm the existing [secrets] exported NAME (N chars) log lines still appear (they log only the name and length, not the value).

Closes #434

## Summary - The Forgejo/GitHub Actions runner only redacts values it has been explicitly told about. Secrets exported via `$GITHUB_ENV` in `setup_dagger_remote.sh` were never registered, so they could appear in plain text in CI log output. - Added `::add-mask::` calls for every secret exported by `export_secret()`, and for the two inline variables `DAGGER_SSH_KEY` and `DAGGER_ENGINE_HOST` that bypass that function. - Multiline values (e.g. SSH private keys, JSON key files) are masked line-by-line, since `::add-mask::` covers a single line at a time. ## Test plan - [ ] Trigger a `workflow_dispatch` run of `deploy.yml` and confirm no secret values appear in plain text in the "Setup Dagger Remote Engine" step or any subsequent steps. - [ ] Confirm the existing `[secrets] exported NAME (N chars)` log lines still appear (they log only the name and length, not the value). Closes #434

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

NeedSupervisor

Issue escalated to a human supervisor; agentloop will skip it until cleared.

State/InProgress

State/Later

State/Planned

automerge

Eligible for automatic merge by CI

ci-failure

Issue opened by agentloop to track a failing CI workflow; used for deduplication.

do-not-merge

Plan PR — review only, do not merge.

loop/code

Add to run the built-in "code" prompt; override at prompts/code.md.

loop/code-ci-pending

Prompt "code" finished; waiting for the PR's CI to pass before advancing.

loop/code-done

Prompt "code" finished successfully.

loop/code-in-process

Agent for the "code" prompt is currently running on this issue.

loop/merge

Managed by agentloop

loop/merge-done

Managed by agentloop

loop/merge-in-process

Managed by agentloop

loop/plan

Add to run the built-in "plan" prompt; override at prompts/plan.md.

loop/plan-done

Prompt "plan" finished successfully.

loop/plan-in-process

Agent for the "plan" prompt is currently running on this issue.

No labels

Milestone

No items

No Milestone

Projects

Clear projects

No projects

Assignees

Clear assignees

guettlibot guettli

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: guettli/sharedinbox#460