Exposes sensitive variables in logs

[peter-dolkens]

I can't use this for our company, as it dumps potentially sensitive private keys straight to the logs.

Unfortunately, it not only exposes them, but also reformats them, meaning the inbuilt github secret masking doesn't catch it.

[mpdude]

😱 do you have an example or can you point us to the line where this is logged/printed?

[peter-dolkens]

I'll try replicate again tomorrow - was a message about the key not being recognized as a GitHub deployment key.

I wanted to purge that log asap when it came through 🤣

[mpdude]

Sure it was a private key? A public key fingerprint would make more sense to me.

[mpdude]

@peter-dolkens this action passes the sensitive, private keys directly into ssh-add. Everything later on, including the output shown and comment parsing, is done based on ssh-add -l or ssh-add -L output. So, it should be public key fingerprints or public key parameters only.

I'll close this for now, but feel free to reopen if you still suspect something being wrong here.