Environment variables are displayed as clear-text
rorpage opened this issue · comments
When running this action the Lambda function environment variables are displayed clear-text in the build output. Is there a flag or option to suppress that output?
Thanks! Your code works like a charm otherwise!
Second @rorpage , Love the action....but can not use this anywhere if env vars are being logged.
I will take it.
@ptallen63 Do you have any screenshots?
Can verify this is happening. Here's an anonymized log from GHA:
##[command]/usr/bin/docker run --name e87b52daece746306b478d86dd660231940aa5_0747c0 ...
2020/03/31 05:22:05 {
...,
Environment: {
Variables: {
AAA_BBB_CCC: "SECRET SECRET SECRET",
DDD_EEE_FFF: "..."
}
},
FunctionArn: "arn:aws:lambda:us-east-1:...",
FunctionName: "...",
Handler: "...",
...
}
I'm not proficient in Go, but I believe this issue is caused by this line: https://github.com/appleboy/drone-lambda/blob/master/plugin.go#L137
Given that Actions log file for public repos are public and it is common to store runtime secrets in env var, I believe this is an urgent security issue.
@adriangodong I will move the log message in debug mode.
Confirmed 0.0.3 works! Thank you, much appreciated!