Closed dsl400 closed 6 months ago
build-args: | GCP_CREDENTIALS=${{ secrets.GCP_CREDENTIALS }}
Similar to https://github.com/docker/build-push-action/issues/1026#issuecomment-1856014613
Using build arguments to pass credentials is a bad practice as it would leak in the final image. Please use build time secrets for this: https://docs.docker.com/build/ci/github-actions/secrets/. More info https://docs.docker.com/build/building/secrets/.
secrets should not be shown in the logs
Same as https://github.com/docker/metadata-action/issues/354#issuecomment-1833871160
This is not something we are doing on our side to hide secrets. This is part of the actions runner runtime. Suggest to open an issue on https://github.com/actions/runner, this might be a bug with their secret masker logic.
Contributing guidelines
I've found a bug, and:
Description
I can see the whole private key in the debug log when I run the workflow locally using act
[Deploy to Cloud/deploy] 💬 ::debug::Exec.getExecOutput: docker buildx build --build-arg GCP_CREDENTIALS={"type":"service_account","project_id":
Expected behaviour
secrets should not be shown in the logs
Actual behaviour
secrets are shown in the debug output
Repository URL
No response
Workflow run URL
No response
YAML workflow
Workflow logs
No response
BuildKit logs
No response
Additional info
No response