L1ghtman2k
commented
1 year ago Huh, I have to make fixes, this issue just exposes the secret earlier, when defining the environment variable
Closed L1ghtman2k closed 1 year ago
L1ghtman2k
commented
1 year ago Huh, I have to make fixes, this issue just exposes the secret earlier, when defining the environment variable
L1ghtman2k
commented
1 year ago It seems like generally, actions don't bother with this, since most of the inputs are already secrets. My case was a little different. I essentially generated a dynamic secret, which wasn't explicitly masked, and thus, it was exposed. I am not sure of a good solution, except for explicitly warning users to manually mask sensitive data if it is not masked already.
Currently, https://github.com/appany/helm-oci-chart-releaser/blob/a517e1b617d0377cbca9073bd8b0f35daf83059c/action.yaml#L38
exposes the password if
${{ inputs.registry_password }}is not already masked. This could happen if the input is not a secret (ex: anything other than GITHUB_TOKEN, like AWS_SECRET_ACCESS_KEY passed as an input). Explicitly masking should prevent accidental leaks of the token in output stream