Hiding api keys/secrets #21

withviz · 2021-05-21T12:06:32Z

withviz
May 21, 2021

I have noticed that although it possible to hide keys in flat.yaml by using ${{secrets.KEY} it is possible to view the secret after an action is run in the resulting commit.
e.g

{
  "date": "2021-05-20T00:41:33.729Z",
  "files": [
    {
      "name": "data.json",
      "deltaBytes": 6,
      "source": "https://myapiexample/data.json&myactualkeyinplaintext"
    }
  ]
}

how can keys be totally hidden?

Answered by irealva

May 26, 2021

Hi there, we just added a way to do this with this #26. You can now use an optional mask parameter in two ways:

Option 1: use a string boolean

mask: true # removes the source entirely from the commit message, defaults to false

Option 2: use a string array with each secret to mask

mask: '["${{ secrets.SECRET1 }}", "${{ secrets.SECRET2 }}"]'

View full answer

Wattenberger · 2021-05-24T15:34:52Z

Wattenberger
May 24, 2021
Maintainer

I did some digging here last Friday. Ideally, we would obfuscate any secrets in the endpoint url. Unfortunately, once the http_url gets to main.ts run(), it's a plain string. I noticed that the output of core.info() and console.log() are obfuscated, but there's no way to get that output.

I'm not sure if we can get a list of secrets to just do the hacky thing and encode anything that lives in a secret.
The best fallback I can think of is to just have a way to configure the commit output in the flat action, although that's not ideal

I'd love to automatically obscure secrets, though, if anyone can find a way!

0 replies

irealva · 2021-05-26T19:28:00Z

irealva
May 26, 2021

Hi there, we just added a way to do this with this #26. You can now use an optional mask parameter in two ways:

Option 1: use a string boolean

mask: true # removes the source entirely from the commit message, defaults to false

Option 2: use a string array with each secret to mask

mask: '["${{ secrets.SECRET1 }}", "${{ secrets.SECRET2 }}"]'

1 reply

RandomFractals Jun 2, 2021

why not just mask them by default without any mask parameter?

might be unrelated, but I really like how vscode restbook extension handles it now. you guys should try it and see its outputs : tanhakabir/rest-book#78

irealva · 2021-06-02T23:06:43Z

irealva
Jun 2, 2021

The thought was that there are cases where you might want to show part of the source like: `source: www.mypage.com/?flag=yes&flag2=***` Especially when chaining multiple flat actions together the source let's you see quickly what commits came from what sources. Trying to keep the tool as flexible as possible if it's an easy add to just support both use cases.

…

On Wed, Jun 2, 2021, 10:22 AM Taras Novak ***@***.***> wrote: why not just mask them by default without any mask parameter? might be unrelated, but I really like how vscode restbook extension handles it now. you guys should try it and see its outputs : tanhakabir/rest-book#78 (comment) <tanhakabir/rest-book#78 (comment)> — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#21 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACEQB3VHQBCUZJZKUHQ2EBLTQY5EFANCNFSM45JAZIHA> .

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hiding api keys/secrets #21

{{title}}

Replies: 3 comments 1 reply

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Hiding api keys/secrets #21

withviz May 21, 2021

Replies: 3 comments · 1 reply

Wattenberger May 24, 2021 Maintainer

irealva May 26, 2021

RandomFractals Jun 2, 2021

irealva Jun 2, 2021

withviz
May 21, 2021

Replies: 3 comments 1 reply

Wattenberger
May 24, 2021
Maintainer

irealva
May 26, 2021

irealva
Jun 2, 2021