From 83d91d52572dd4241c1e5241054cb889d8f46534 Mon Sep 17 00:00:00 2001 From: James Dawson Date: Wed, 12 Feb 2025 14:31:17 +0000 Subject: [PATCH] Fixes some loose secrets handling - Removes logging of base64 strings - Adds explicit GHA masking for the base64 strings - Consume the base64 strings via environment variables in GHA scripts, to avoid another logging disclosure scenario --- actions/prepare-env-vars-and-secrets/action.yml | 3 +-- actions/set-env-vars-and-secrets/action.yml | 11 ++++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/actions/prepare-env-vars-and-secrets/action.yml b/actions/prepare-env-vars-and-secrets/action.yml index 5950e91..330c88d 100644 --- a/actions/prepare-env-vars-and-secrets/action.yml +++ b/actions/prepare-env-vars-and-secrets/action.yml @@ -33,7 +33,6 @@ runs: $yaml = ConvertFrom-Yaml $srcEnvVars | ConvertTo-Yaml Write-Host "yaml: $yaml" $yamlb64 = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($yaml)) - Write-Host "yamlb64: $yamlb64" ("RESOLVED_ENV_VARS={0}" -f $yamlb64) | Out-File -Append $env:GITHUB_OUTPUT shell: pwsh @@ -48,6 +47,6 @@ runs: $yaml = ConvertFrom-Yaml $srcSecrets | ConvertTo-Yaml Write-Host "yaml: $yaml" $yamlb64 = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($yaml)) - Write-Host "yamlb64: $yamlb64" + Write-Host ("::add-mask::{0}" -f $yamlb64) ("RESOLVED_SECRETS={0}" -f $yamlb64) | Out-File -Append $env:GITHUB_OUTPUT shell: pwsh \ No newline at end of file diff --git a/actions/set-env-vars-and-secrets/action.yml b/actions/set-env-vars-and-secrets/action.yml index aa5121e..0e1a3aa 100644 --- a/actions/set-env-vars-and-secrets/action.yml +++ b/actions/set-env-vars-and-secrets/action.yml @@ -19,20 +19,25 @@ runs: - id: setEnvironmentVariables name: Set Environment Variables run: | - $envVarsYaml = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String("${{ inputs.environmentVariablesYamlBase64 }}")) + $envVarsYaml = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($env:INCOMING_ENV_VARS)) $envVars = ConvertFrom-Yaml $envVarsYaml foreach ($envVarName in $envVars.Keys) { ('{0}={1}' -f $envVarName, $envVars[$envVarName]) | Out-File -Append -FilePath $env:GITHUB_ENV } shell: pwsh + env: + INCOMING_ENV_VARS: ${{ inputs.environmentVariablesYamlBase64 }} - id: setSecrets name: Set Secrets run: | Import-Module Powershell-yaml - $secretsYaml = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String("${{ inputs.secretsYamlBase64 }}")) + Write-Host ("::add-mask::{0}" -f $env:INCOMING_SECRETS) + $secretsYaml = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($env:INCOMING_SECRETS)) $secrets = ConvertFrom-Yaml $secretsYaml foreach ($secretName in $secrets.Keys) { ('{0}={1}' -f $secretName, $secrets[$secretName]) | Out-File -Append -FilePath $env:GITHUB_ENV Write-Host ("::add-mask::{0}" -f $secrets[$secretName]) } - shell: pwsh \ No newline at end of file + shell: pwsh + env: + INCOMING_SECRETS: ${{ inputs.secretsYamlBase64 }} \ No newline at end of file