[BUG]: sensitive output (`actions/runners/registration-token`) can't be masked
dennisameling opened this issue · comments
What happened?
Consider the following Actions config:
- name: Generate Actions Runner token
uses: octokit/request-action@v2.x
id: generate-actions-runner-token
with:
route: POST /repos/{owner}/{repo}/actions/runners/registration-token
owner: ${{ env.ACTIONS_RUNNER_ORG }}
repo: ${{ env.ACTIONS_RUNNER_REPO }}
env:
GITHUB_TOKEN: ${{ secrets.GH_API_PAT }}
- name: Set and mask Actions Runner token for next steps
run: |
# We need to mask the token first before setting it to an env variable
echo "::add-mask::${{ fromJson(steps.generate-actions-runner-token.outputs.data).token }}"
ACTIONS_RUNNER_TOKEN=${{ fromJson(steps.generate-actions-runner-token.outputs.data).token }}
echo ACTIONS_RUNNER_TOKEN=$ACTIONS_RUNNER_TOKEN >> $GITHUB_ENV
This actually exposes the token to the CI logs, as also reported in this issue: actions/runner#475
You might want to add a warning about this to the README of this action or find another solution to hide this sensitive data. Thanks!
Versions
octokit/request-action@v2.x
Relevant log output
See aboveCode of Conduct
- I agree to follow this project's Code of Conduct
@dennisameling thanks for your concern here! This does appear to be a bug with actions/runner upstream as you've linked; I can't find anywhere in this repository we have logic related to masking specifically.
I do think that a README update might be useful here. Is that something you have interest in creating?
Sorry for the late reply here!
I do think that a README update might be useful here. Is that something you have interest in creating?
Sure, please give me a few days to work through some other things first. Will link the PR to this issue when done 👍🏼
Perhaps an enterprising Hacktoberfest contributor may want to take this on!