search

ruby / setup-ruby

An action to download a prebuilt Ruby and add it to the PATH in 5 seconds
https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
MIT License
803 stars 262 forks source link

Output from "env" potentially reveals secrets in the output #464

Closed brcarp closed 1 year ago

brcarp commented 1 year ago

When running ruby/setup-ruby@v1, the actions output has a section for with: and a section for env:, the latter of which prints in plaintext any environment variables including ones that may have been set in the workflow to be pulled from repository or organizational secrets that are set by admins and not expected to be revealed to collaborators for security reasons. (These can be imported into the workflow's environment using ${{ secrets.SECRET_NAME }}.)

Is there any way that some environment variables can be designated as secrets such that their value can be redacted in the output that's otherwise visible to anyone who can run/view the actions (but may not be privy to all organizational secrets which might include authentication tokens)?

dentarg commented 1 year ago

I think that is just how GitHub Actions works?

It wont leak your secrets, GitHub knows what they are and hides them in the log:

Run ruby/setup-ruby@v1
  with:
    bundler-cache: true
    ruby-version: default
  env:
    BUNDLE_GITHUB__COM: x-access-token:***
brcarp commented 1 year ago

You're right. I had a custom named variable and when I had garbage in it, it was visible, but when it was a real token, GitHub hid it. Interesting.