Make sure no information fetched from secrets manager is logged

Use GitHub's log masking to ensure even tokens that do not match
GitHub's default filter are replaced by asterisks.

.github/workflows/release-brew.yaml

@@ -66,8 +66,12 @@ jobs:
 
  - name: Fetch secrets
  run: |
- echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
- echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+ bot_email=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')
+ echo "::add-mask::$bot_email"
+ echo "BOT_EMAIL=$bot_email" >> $GITHUB_ENV
+ homebrew_github_api_token=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')
+ echo "::add-mask::$homebrew_github_api_token"
+ echo "HOMEBREW_GITHUB_API_TOKEN=$homebrew_github_api_token" >> $GITHUB_ENV
 
  - name: Configure git user name and email
  run: |
@@ -102,8 +106,12 @@ jobs:
 
  - name: Fetch secrets
  run: |
- echo "FORK_REPO=https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" >> $GITHUB_ENV
- echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+ fork_repo="https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git"
+ echo "::add-mask::$fork_repo"
+ echo "FORK_REPO=$fork_repo" >> $GITHUB_ENV
+ github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
+ echo "::add-mask::$github_token"
+ echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
 
  - name: Checkout PR
  run: |
@@ -167,8 +175,12 @@ jobs:
 
  - name: Fetch secrets
  run: |
- echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
- echo "FORK_REPO=https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" >> $GITHUB_ENV
+ bot_email="$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')"
+ echo "::add-mask::$bot_email"
+ echo "BOT_EMAIL=$bot_email" >> $GITHUB_ENV
+ fork_repo="https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git"
+ echo "::add-mask::$fork_repo"
+ echo "FORK_REPO=$fork_repo" >> $GITHUB_ENV
 
  - name: Configure git user name and email
  run: |

.github/workflows/release-pypi.yaml

@@ -27,8 +27,12 @@ jobs:
  aws-region: ${{ env.AWS_REGION }}
  - name: Fetch secrets
  run: |
- echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
- echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+ github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
+ echo "::add-mask::$github_token"
+ echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
+ twine_password="$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')"
+ echo "::add-mask::$twine_password"
+ echo "TWINE_PASSWORD=$twine_password" >> $GITHUB_ENV
  - name: set asset path and name
  id: get_package_name
  run: |

.github/workflows/release.yaml

@@ -38,7 +38,9 @@ jobs:
  aws-region: ${{ env.AWS_REGION }}
  - name: Fetch secrets
  run: |
- echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+ github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
+ echo "::add-mask::$github_token"
+ echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
  - name: Create release
  uses: actions/create-release@v1
  with: