Secrets are unexpectedly printed in plain text in job logs #1281
-
|
Hi, first of all, thanks a lot for this brilliant project! I came across an issue and tried to solve it many times, but I cannot figure it out myself, so I decided to come here for some help. I noticed that some private repos should not impact on the result of metrics, then I tried to use the option template: classic
base: header
config_timezone: ${{ secrets.METRICS_TIMEZONE }}
repositories_skipped: ${{ secrets.METRICS_SKIPPED_REPO }} # THIS LINE is newly added, and the value of it is a comma-separated string of repo full handleBut in the job logs, the value of secret
Is this a bug? Or is there an option to turn off the output of metrics? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
I'm guessing that filtering is failing because the secret is getting formatted to be more human-readable before getting logged. Honestly, do any inputs need to be logged? They should already all be available as raw values in the log when expanding the step's configuration AFAIK, which should always be filtered properly. |
Beta Was this translation helpful? Give feedback.
-
|
Well, you're totally right. After I updated the secret in the format metrics outputs(all lower case & no any space, e.g. |
Beta Was this translation helpful? Give feedback.
-
|
No problem! This should still probably be looked into IMO, because a differently-formatted secret is still a secret 😆 |
Beta Was this translation helpful? Give feedback.
-
I guess we could add an option to toggle this off. These are mostly printed to make debugging easier as raw inputs may not exactly reflects what the action will use (plus it prints out the defaults values and explicitly display which inputs are initialized) Maybe just documenting that the array type is lowercased prior to parsing (and thus secrets for arrays should be lowercased too) would be enough though 🤔 |
Beta Was this translation helpful? Give feedback.
I'm guessing that filtering is failing because the secret is getting formatted to be more human-readable before getting logged.
Honestly, do any inputs need to be logged? They should already all be available as raw values in the log when expanding the step's configuration AFAIK, which should always be filtered properly.