Open jsoref opened 8 months ago
I have a question about this problem, because I don't fully understand it.
Does .gitignore
exclude the .secrets
file and it is not in the git index? (In this case is the file not copied into the container and is not accessible to the workflow, also it won't be added by git add .
even outside of a container)
.dockerignore
isn't really used by act in most places (maybe only for legacy remote actions, and that only if it uses a Dockerfile)
I'm concerned that act
has copied over the file in the first place. It isn't so much that .gitignore
doesn't know not to add the file.
GitHub Actions has secrets, but it goes to great lengths not to dump them into the file system unprompted.
Act reads .gitignore
for not copying files into the container.
Do you propose to add additional ignores hardcoded into act?
If act is using .secrets
, then yes.
Or at the very least, if it isn't ignored by .gitignore
and was used by act, then it needs to warn that it's going to leak the file to the workspace.
fwiw, yes, .gitignore
does keep the file out, but that isn't remotely obvious.
Heck, the fact that .secrets
is automatically used isn't mentioned in any README.md
or similar thing in this repository,
It's just mentioned in the help:
% act --help|grep secrets|grep default
--secret-file string file with list of secrets to read from (e.g. --secret-file .secrets) (default ".secrets")
I really really really wish it was documented in the main README.md.
Maybe early exit act if --secret-file
exists, but not ignored. To accept the risk and allow running it, they need to use --allow-leaking-secret-file
to opt out.
Just an idea from my side.
technically is the readme obsolete and new content should go to https://nektosact.com/ https://github.com/nektos/act-docs
Practically that webpage doesn't work:
But if it did, then the contents of the readme should be removed and replaced with "See https://nektosact.com/"
Until then, the .env
stuff could also be dramatically improved: https://github.com/jsoref/act/commit/5f3b6bfbae6a7c37b608043306dcddc9da85bb50
I'm less a doc writer than you are, based on your documentation fixes across GitHub.
Practically that webpage doesn't work:
In fact these are empty pages, over in the docu sources. Both Readme and that are markdown.
I usually not writing any documentation....
Like nowhere is mentioned that:
--env-file env.yml
--secret-file secrets.yml
all accept yaml since a 3/4 year, because I somewhat don't like godotenv syntax.
I'd be 💯 in favor of:
Maybe early exit act if --secret-file exists, but not ignored. To accept the risk and allow running it, they need to use --allow-leaking-secret-file to opt out.
I'm a coder, and can write docs, but only about things I know enough about, and within some time constraints. I'm not going to write docs from scratch. I will do minor doc fixes within reason -- as long as they're relatively cheap to do.
Fwiw, I landed on https://nektosact.com/ w/in the past week or two, tried to use it, decided it was mostly broken and basically discarded it.
yeah two important pages are empty, this should certainly be corrected. Other than that it contains information not found in the readme + has a search bar
Once those two pages are fixed the readme in this repository should be truncated to have very little :)
Otherwise you're splitting focus and increasing likelihood of people not visiting the doc site.
@jsoref FYI the landing pages seem to be fixed now:
Issue is stale and will be closed in 14 days unless there is new activity
So, https://nektosact.com/usage/index.html?highlight=secret#secrets doesn't warn that the files are likely to be copied over by act.
It could suggest using .git/...
, ../...
or using .gitignore
.
Bug report info
Command used with act
Describe issue
the prettier workflow i'm using does a
git add .
, agit commit
, and agit show HEAD
(or something functionally equivalent).The output shows that the
.secrets
file is included in the workspace and thus effectively leaked to the workflowLink to GitHub repository
No response
Workflow content
Relevant log output
The
.dockerignore
was because i wanted to see if using.secrets
in.dockerignore
would fix it -- it didn'tAdditional information
I "worked around" this by using
--secret-file .git/act-secrets
, but this didn't technically protect the file from being leaked to the workflow, it just prevented the git commit from catching the file.