Closed L1ghtman2k closed 1 year ago
Huh, I have to make fixes, this issue just exposes the secret earlier, when defining the environment variable
It seems like generally, actions don't bother with this, since most of the inputs are already secrets. My case was a little different. I essentially generated a dynamic secret, which wasn't explicitly masked, and thus, it was exposed. I am not sure of a good solution, except for explicitly warning users to manually mask sensitive data if it is not masked already.
Currently, https://github.com/appany/helm-oci-chart-releaser/blob/a517e1b617d0377cbca9073bd8b0f35daf83059c/action.yaml#L38
exposes the password if
${{ inputs.registry_password }}
is not already masked. This could happen if the input is not a secret (ex: anything other than GITHUB_TOKEN, like AWS_SECRET_ACCESS_KEY passed as an input). Explicitly masking should prevent accidental leaks of the token in output stream