-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JSON-type secrets are not being safely redeacted. #1488
Comments
According to doc:
https://docs.github.com/en/actions/security-guides/encrypted-secrets#naming-your-secrets |
Oh, I see. It's a limitation. 😢 |
Got your point! |
One option is to store the base64 encoded json as a secret and then decode action side. someone could even write an action to do this
you would store the base64 encoded string as the secret. you would still need to take care the the decoded json isn't logged to output though. Another option is if there's a secret portion of the json. e.g.
then you can also store or register dynamically the 'shhh' part as a secret and then you're not as concerned if it gets outputted. The dynamic option is interesting if your workflow calls an api or cli JIT which returns json. If that's the case you can get the json, and register shhh as a secret via runner commands |
Describe the bug
A clear and concise description of what the bug is.
I have this json secrets.
And this will give readable prints which is not very secret.
Only
{
and}
are masked.To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Runner Version and Platform
Version of your runner?
OS of the machine running the runner? OSX/Windows/Linux/...
What's not working?
Please include error messages and screenshots.
Job Log Output
If applicable, include the relevant part of the job / step log output here. All sensitive information should already be masked out, but please double-check before pasting here.
Runner and Worker's Diagnostic Logs
If applicable, add relevant diagnostic log information. Logs are located in the runner's
_diag
folder. The runner logs are prefixed withRunner_
and the worker logs are prefixed withWorker_
. Each job run correlates to a worker log. All sensitive information should already be masked out, but please double-check before pasting here.The text was updated successfully, but these errors were encountered: