Open ericsampson opened 4 years ago
I used GITHUB_OUTPUT but the value isn't masked
But you put the string into the command instead of the env:
block.
@jsoref nevermind, the problem is in the used upstream action: https://github.com/aws-actions/amazon-ecr-login/issues/485
Just want to share some code here for anyone that got stuck from this, taken from here https://github.com/google-github-actions/get-secretmanager-secrets/issues/288
- id: fetch-secret
uses: google-github-actions/get-secretmanager-secrets@v2
with:
secrets: |-
secrets:projects/${{ inputs.projectId }}/secrets/${{ inputs.dbSecretName }}/versions/latest
- id: pg-password
name: mask the password
env:
SECRET: '${{ steps.fetch-secret.outputs.secrets }}'
run: |
VALUE1="$(jq .key1 <<< "${SECRET}")"
VALUE2="$(jq .key2 <<< "${SECRET}")"
echo "::add-mask::${VALUE1}"
echo "::add-mask::${VALUE2}"
@sourceful-karlson I'd say the secret value is going to be shown in the details of the run, in the env section, unless that google action does something I don't know
I don't understand how this issue gains no traction. The existence of the function add-mask
, which does not fulfill its purpose at all, gives people a false sense of security.
The function should be fixed ASAP with high priority or be deleted.
@Croydon I don't know how to get more attention from someone at GitHub. Get a popular YTer like @ThePrimeagen to upload a video blasting this security issue that hasn't been addressed for four years?
New to GH Actions, but having the same issue.
Just trying to re-iterate and simply present it again for attention.
jobs:
printing-secret:
runs-on: ubuntu-latest
steps:
- name: generate
id: generate
run: |
secret=`echo $RANDOM`
echo "::add-mask::$secret"
echo "secret=$secret" >> $GITHUB_OUTPUT
- name: print
run: |
echo "generated secret is : ${SECRET}"
env:
SECRET: ${{ steps.generate.outputs.secret }}
outputs:
secret: ${{ steps.generate.outputs.secret }}
fetch-secret:
runs-on: ubuntu-latest
needs: [printing-secret]
steps:
- name: fetch
id: fetch
run: |
echo "fetched secret is : ${FETCHED_SECRET}"
env:
FETCHED_SECRET: ${{ needs.printing-secret.outputs.secret }}
It performs masking for steps under a job (and won't show-up when debugging is enabled) printing-secret -> print
generated secret is : ***
But doesn't fetch any value when passed between the jobs with add-mask
.
fetch-secret:
fetched secret is :
@p-pal, the first job triggers:
Warning: Skip output 'secret' since it may contain secret.
~Oddly, I can't find any documentation that warns about this behavior.~ But it is clearly a design feature.
Job outputs containing expressions are evaluated on the runner at the end of each job. Outputs containing secrets are redacted on the runner and not sent to GitHub Actions.
GitHub's documentation does include information about how to pass secrets between jobs:
(I wrote that documentation a while ago...) It includes some hand waving, so you'll have to fill in the details using your preferred magic.
Describe the bug According to https://github.com/actions/runner/issues/159, the issue where the
add-mask
workflow command echoes/leaks the secret was supposed to be fixed, but we still observe it. This was also mentioned on the GitHub forum by a PartnerTo Reproduce Steps to reproduce the behavior: echo "::add-mask::${{ steps.mystep.outputs.myvalue }}"
Expected behavior raw output is not echoed to the log
Runner Version and Platform Hosted Ubuntu