From b2eb460e7299212b2d22c01d1c53b0c88ab630aa Mon Sep 17 00:00:00 2001 From: Michael Tautschnig Date: Thu, 22 Aug 2024 18:32:44 +0000 Subject: [PATCH] Make sure no information fetched from secrets manager is logged Use GitHub's log masking to ensure even tokens that do not match GitHub's default filter are replaced by asterisks. --- .github/workflows/release-brew.yaml | 24 ++++++++++++++++++------ .github/workflows/release-pypi.yaml | 8 ++++++-- .github/workflows/release.yaml | 4 +++- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release-brew.yaml b/.github/workflows/release-brew.yaml index 2b5603d..7a2a148 100644 --- a/.github/workflows/release-brew.yaml +++ b/.github/workflows/release-brew.yaml @@ -66,8 +66,12 @@ jobs: - name: Fetch secrets run: | - echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV - echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV + bot_email=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString') + echo "::add-mask::$bot_email" + echo "BOT_EMAIL=$bot_email" >> $GITHUB_ENV + homebrew_github_api_token=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString') + echo "::add-mask::$homebrew_github_api_token" + echo "HOMEBREW_GITHUB_API_TOKEN=$homebrew_github_api_token" >> $GITHUB_ENV - name: Configure git user name and email run: | @@ -102,8 +106,12 @@ jobs: - name: Fetch secrets run: | - echo "FORK_REPO=https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" >> $GITHUB_ENV - echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV + fork_repo="https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" + echo "::add-mask::$fork_repo" + echo "FORK_REPO=$fork_repo" >> $GITHUB_ENV + github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" + echo "::add-mask::$github_token" + echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV - name: Checkout PR run: | @@ -167,8 +175,12 @@ jobs: - name: Fetch secrets run: | - echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV - echo "FORK_REPO=https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" >> $GITHUB_ENV + bot_email="$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" + echo "::add-mask::$bot_email" + echo "BOT_EMAIL=$bot_email" >> $GITHUB_ENV + fork_repo="https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" + echo "::add-mask::$fork_repo" + echo "FORK_REPO=$fork_repo" >> $GITHUB_ENV - name: Configure git user name and email run: | diff --git a/.github/workflows/release-pypi.yaml b/.github/workflows/release-pypi.yaml index 59cdcfa..039a166 100644 --- a/.github/workflows/release-pypi.yaml +++ b/.github/workflows/release-pypi.yaml @@ -27,8 +27,12 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Fetch secrets run: | - echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV - echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV + github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" + echo "::add-mask::$github_token" + echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV + twine_password="$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" + echo "::add-mask::$twine_password" + echo "TWINE_PASSWORD=$twine_password" >> $GITHUB_ENV - name: set asset path and name id: get_package_name run: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fc2ada6..1384b45 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -38,7 +38,9 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Fetch secrets run: | - echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV + github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" + echo "::add-mask::$github_token" + echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV - name: Create release uses: actions/create-release@v1 with: