Open Miker91 opened 1 year ago
Good point - will take a look into it
I don't think the secrets are evaluated by the eval
call. They are already evaluated as part of the overwrite
value by GitHub Actions. You need to escape the ${{...}}}
in your yaml expression.
Having said that, I guess the eval
can leak undesired properties. I would go for a more explicit way to replace the variables you want to support, something like this (untested):
overwrite.replaceAll(/\$\{(\W+)\}/, (varName) => switch (varName) {
case 'workflow_link': return workflow_link
...
});
or
const vars = { workflow_link, ... };
overwite.replaceAll(new Regexp(`\$\{(${Object.keys(vars).join('|')})\}`), (varName) => vars[varName]);
@Miker91 @Skitionek I dont see such bug as of now, maybe the bug has been fixed, would you confirm ?
Hi,
Secrets should not be parsed and returned in the notifications. People may want to use this action having organization-wide secretes which should not be returned in clear text.
Example:
Result: