Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

attestation: redact secret in environment #17302

Merged
merged 1 commit into from
May 14, 2024
Merged

attestation: redact secret in environment #17302

merged 1 commit into from
May 14, 2024

Conversation

woodruffw
Copy link
Member

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

Fixes #17300.

h/t @Bo98 for pointing out the system_command! API's pre-existing ability to do this -- I couldn't use the ENV.sensitive? functionality because that doesn't handle the env: kwarg, but passing it via secrets suffices 🙂

Example induced failure, showing the redacted secret:

$ HOMEBREW_GITHUB_API_TOKEN=lololol brew verify gh
==> Downloading https://ghcr.io/v2/homebrew/core/gh/blobs/sha256:a9b943de9c581a597
Already downloaded: /Users/william/Library/Caches/Homebrew/downloads/1d47281ddb66d5bfb053e1f74cff84446c6626f87d7536b93b5c7dbc5555f073--gh--2.49.2.arm64_sonoma.bottle.tar.gz

Error: failed to fetch attestations from Homebrew/homebrew-core: HTTP 401: Bad credentials (https://api.github.com/repos/Homebrew/homebrew-core/attestations/sha256:a9b943de9c581a597c47e23c5037bb7b609079e835b1553c5a653abf439254f9?per_page=30)

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:a9b943de9c581a597c47e23c5037bb7b609079e835b1553c5a653abf439254f9?per_page=30)
Error: Failed to verify gh--2.49.2.arm64_sonoma.bottle.tar.gz with tag arm64_sonoma due to error:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** /opt/homebrew/bin/gh attestation verify /Users/william/Library/Caches/Homebrew/downloads/1d47281ddb66d5bfb053e1f74cff84446c6626f87d7536b93b5c7dbc5555f073--gh--2.49.2.arm64_sonoma.bottle.tar.gz --repo trailofbits/homebrew-brew-verify --format json` exited with 1. Here's the output:

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:a9b943de9c581a597c47e23c5037bb7b609079e835b1553c5a653abf439254f9?per_page=30)

(The error message is now much more verbose as well.)

Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw woodruffw self-assigned this May 14, 2024
Copy link
Member

@Bo98 Bo98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Copy link
Member

@colindean colindean left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@p-linnane p-linnane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

@p-linnane p-linnane merged commit 1f603d3 into master May 14, 2024
25 checks passed
@p-linnane p-linnane deleted the ww/redact-env branch May 14, 2024 21:01
@MikeMcQuaid
Copy link
Member

Thanks @woodruffw!

@github-actions github-actions bot added the outdated PR was locked due to age label Jun 15, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
outdated PR was locked due to age
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Attestation failure message emits secret
5 participants