Do not call setSecret on any unmasked secrets (#17)

* Do not call `setSecret` on any unmasked secrets Right now, every value that's pulled from Doppler is marked as a secret in GitHub Actions, which means any workflow using this action ends up with a ton of unnecessary redactions. For example, if you have the following Doppler values: ``` NODE_ENV = test WORKER_COUNT = 3 ``` Then *every* output that includes `test` and the number 3 gets redacted, making the output rather difficult to read. Now I'm unable to tell the real difference between Listing and Downloading secrets, but from what I can tell from the [api docs](https://docs.doppler.com/reference/secrets-list) only List Secrets includes the visibility information, so I had to change how secrets are pulled. Fixes #16 * Add some debugging * Provide fallback to raw secret * Need to return the nested `secrets` object * Clear out the debugging lines * Remove `raw` fallback, that's not necessary
DopplerHQ · Mar 21, 2024 · bc453b9 · bc453b9
1 parent 584cb6c
commit bc453b9
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/doppler.js b/doppler.js
@@ -6,15 +6,15 @@ import { VERSION } from "./meta.js";
  * @param {string} dopplerToken
  * @param {string | null} [dopplerProject]
  * @param {string | null} [dopplerConfig]
- * @returns {() => Promise<Record<string, string>>}
+ * @returns {() => Promise<Record<string, Record>>}
  */
 async function fetch(dopplerToken, dopplerProject, dopplerConfig) {
  return new Promise(function (resolve, reject) {
  const encodedAuthData = Buffer.from(`${dopplerToken}:`).toString("base64");
  const authHeader = `Basic ${encodedAuthData}`;
  const userAgent = `secrets-fetch-github-action/${VERSION}`;
 
- const url = new URL("https://api.doppler.com/v3/configs/config/secrets/download?format=json");
+ const url = new URL("https://api.doppler.com/v3/configs/config/secrets");
  if (dopplerProject && dopplerConfig) {
  url.searchParams.append("project", dopplerProject);
  url.searchParams.append("config", dopplerConfig);
@@ -27,14 +27,15 @@ async function fetch(dopplerToken, dopplerProject, dopplerConfig) {
  headers: {
  Authorization: authHeader,
  "user-agent": userAgent,
+ "accepts": "application/json",
  },
  },
  (res) => {
  let payload = "";
  res.on("data", (data) => (payload += data));
  res.on("end", () => {
  if (res.statusCode === 200) {
- resolve(JSON.parse(payload));
+ resolve(JSON.parse(payload).secrets);
  } else {
  try {
  const error = JSON.parse(payload).messages.join(" ");

diff --git a/index.js b/index.js
@@ -27,9 +27,11 @@ if (IS_SA_TOKEN && !(DOPPLER_PROJECT && DOPPLER_CONFIG)) {
 
 const secrets = await fetch(DOPPLER_TOKEN, DOPPLER_PROJECT, DOPPLER_CONFIG);
 
-for (const [key, value] of Object.entries(secrets)) {
+for (const [key, secret] of Object.entries(secrets)) {
+ const value = secret.computed || "";
+
  core.setOutput(key, value);
- if (!DOPPLER_META.includes(key)) {
+ if (!DOPPLER_META.includes(key) && secret.computedVisibility !== "unmasked") {
  core.setSecret(value);
  }