Mask secrets in job output (#231)
Previously secrets would be shown in log output as provided. This commit updates the stepLogFormatter to replace any instance of the secret string with "***", as GitHub Actions would Known issues: If the secret is a generic string (such as "docker"), all occurances of that string will be replaced in the output Co-authored-by: Casey Lee <cplee@nektos.com>
This commit is contained in:
parent
a5e86bd024
commit
d3f25bac79
2 changed files with 10 additions and 3 deletions
|
@ -38,11 +38,12 @@ func init() {
|
|||
}
|
||||
|
||||
// WithJobLogger attaches a new logger to context that is aware of steps
|
||||
func WithJobLogger(ctx context.Context, jobName string) context.Context {
|
||||
func WithJobLogger(ctx context.Context, jobName string, secrets map[string]string) context.Context {
|
||||
mux.Lock()
|
||||
defer mux.Unlock()
|
||||
formatter := new(stepLogFormatter)
|
||||
formatter.color = colors[nextColor%len(colors)]
|
||||
formatter.secrets = secrets
|
||||
nextColor++
|
||||
|
||||
logger := logrus.New()
|
||||
|
@ -56,11 +57,17 @@ func WithJobLogger(ctx context.Context, jobName string) context.Context {
|
|||
|
||||
type stepLogFormatter struct {
|
||||
color int
|
||||
secrets map[string]string
|
||||
}
|
||||
|
||||
func (f *stepLogFormatter) Format(entry *logrus.Entry) ([]byte, error) {
|
||||
b := &bytes.Buffer{}
|
||||
|
||||
// Replace any secrets in the entry
|
||||
for _, v := range f.secrets {
|
||||
entry.Message = strings.ReplaceAll(entry.Message, v, "***")
|
||||
}
|
||||
|
||||
if f.isColored(entry) {
|
||||
f.printColored(b, entry)
|
||||
} else {
|
||||
|
|
|
@ -73,7 +73,7 @@ func (runner *runnerImpl) NewPlanExecutor(plan *model.Plan) common.Executor {
|
|||
}
|
||||
stageExecutor = append(stageExecutor, func(ctx context.Context) error {
|
||||
jobName := fmt.Sprintf("%-*s", maxJobNameLen, rc.String())
|
||||
return rc.Executor()(WithJobLogger(ctx, jobName))
|
||||
return rc.Executor()(WithJobLogger(ctx, jobName, rc.Config.Secrets))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue