-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: prevent secret output #118
Conversation
950655e
to
330e362
Compare
- name: Keep environment name in the summary | ||
run: echo '### Ran integration tests against ${{ inputs.environment }} ' >> $GITHUB_STEP_SUMMARY | ||
|
||
- name: Setup database and engine | ||
id: setup | ||
uses: firebolt-db/integration-testing-setup@v1 | ||
with: | ||
firebolt-username: ${{ env.USERNAME }} | ||
firebolt-password: ${{ env.PASSWORD }} | ||
firebolt-username: ${{ inputs.environment == 'staging' && secrets.FIREBOLT_STG_USERNAME || secrets.FIREBOLT_USERNAME_DEV }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this change anything?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, special characters were bugged in the previous implementation - https://github.com/firebolt-db/dbt-firebolt/pull/118/files#diff-29ce8407d15551c9c62184e207b6ceadebb261f7ffbfb75d7d67844ba33709abL51
if you had a $ in the password for example you'd have bash resolving that variable to an empty string therefore rendering the password unusable. This implementation does not pass around secrets but uses the correct one instead so it's kept as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is probably a bug in every repo. Yet, since we are removing dev support this will be fixed by it's own, so nothing to do I guess
tests/conftest.py
Outdated
|
||
def represent_data(self, data): | ||
if isinstance(data, Secret): | ||
return self.represent_scalar('tag:yaml.org,2002:str', data.value) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a comment to explain this formatting. What would be the resulting example for a secret here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Found a better function to use and also added a comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here we dump the actual secret into the profiles.yml
config file for DBT. Everywhere else it would be obscured.
Quality Gate passedKudos, no new issues were introduced! 0 New issues |
FIR-29705
Preventing accidental secret output.
Changing staging/dev secrets logic since the old one didn't handle special characters correctly and now we have those with the new credentials. In any case, dev will be retired soon.