8000 buildx(build): always register as secret the value passed as build secret string by crazy-max · Pull Request #645 · docker/actions-toolkit · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

buildx(build): always register as secret the value passed as build secret string #645

8000
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 8, 2025
Merged

buildx(build): always register as secret the value passed as build secret string #645

merged 1 commit into from
Apr 8, 2025

Conversation

crazy-max
Copy link
Member

In docker/build-push-action a build secret can be passed directly in the workflow using key/value pair with the secrets input:

      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: user/app:latest
          secrets: |
            GIT_AUTH_TOKEN=${{ secrets.MYTOKEN }}

Registered GitHub Secrets within the repository are already redacted in the logs but some users might pass them as plain text like:

      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: user/app:latest
          secrets: |
            MYSECRET=foo

Even if this value is already leaked within the workflow we can at least always register as secret the value passed as build secret string here.

8000 @crazy-max
buildx(build): always register as secret the value passed as build se…
6ddae4e 
…cret string

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max force-pushed the secret-enforce-redact branch from 884ab02 to 6ddae4e Compare April 7, 2025 09:23
fiam
fiam approved these changes Apr 7, 2025
View reviewed changes
Copy link
Collaborator
@fiam fiam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

crazy-max
crazy-max commented Apr 7, 2025
View reviewed changes
src/buildx/build.ts
@@ -310,13 +319,16 @@ export class Build {
return false;
}

private static parseSecretKvp(kvp: string): [string, string] {
public static parseSecretKvp(kvp: string, redact?: boolean): [string, string] {
Copy link
Member Author
8000

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make this method public so we can use it in build-push-action repo to redact the secrets input for build summary case.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened docker/build-push-action#1351 as follow-up

@crazy-max crazy-max mentioned this pull request Apr 7, 2025
Closed
@crazy-max crazy-max self-assigned this Apr 7, 2025
@crazy-max crazy-max merged commit b7b0b4c into docker:main Apr 8, 2025
86 checks passed
@crazy-max crazy-max deleted the secret-enforce-redact branch April 8, 2025 11:25
@Rucellmai61
Copy link

Rucellmai61

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fiam fiam fiam approved these changes

@tonistiigi tonistiigi Awaiting requested review from tonistiigi

@temenuzhka-thede temenuzhka-thede Awaiting requested review from temenuzhka-thede

Assignees

@crazy-max crazy-max

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@crazy-max @Rucellmai61 @fiam
0