search

docker / build-push-action

GitHub Action to build and push Docker images with Buildx
https://github.com/marketplace/actions/build-and-push-docker-images
Apache License 2.0
4.11k stars 527 forks source link

secrets are visibible in the debug messages #1025

Closed dsl400 closed 6 months ago

dsl400 commented 6 months ago

Contributing guidelines

I've found a bug, and:

Description

I can see the whole private key in the debug log when I run the workflow locally using act

 - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: false
          tags: eu.gcr.io/${{ env.GCP_PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
          build-args: |
            GCP_CREDENTIALS=${{ secrets.GCP_CREDENTIALS }}

[Deploy to Cloud/deploy] 💬 ::debug::Exec.getExecOutput: docker buildx build --build-arg GCP_CREDENTIALS={"type":"service_account","project_id":

Expected behaviour

secrets should not be shown in the logs

Actual behaviour

secrets are shown in the debug output

Repository URL

No response

Workflow run URL

No response

YAML workflow

- name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: false
          tags: eu.gcr.io/${{ env.GCP_PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
          build-args: |
            GCP_CREDENTIALS=${{ secrets.GCP_CREDENTIALS }}

Workflow logs

No response

BuildKit logs

No response

Additional info

No response

crazy-max commented 6 months ago 
          build-args: |
            GCP_CREDENTIALS=${{ secrets.GCP_CREDENTIALS }}

Similar to https://github.com/docker/build-push-action/issues/1026#issuecomment-1856014613

Using build arguments to pass credentials is a bad practice as it would leak in the final image. Please use build time secrets for this: https://docs.docker.com/build/ci/github-actions/secrets/. More info https://docs.docker.com/build/building/secrets/.

secrets should not be shown in the logs

Same as https://github.com/docker/metadata-action/issues/354#issuecomment-1833871160

This is not something we are doing on our side to hide secrets. This is part of the actions runner runtime. Suggest to open an issue on https://github.com/actions/runner, this might be a bug with their secret masker logic.