Github Actions Mask Expression #26032

ugam-paul · 2020-08-26T11:43:37Z

ugam-paul
Aug 26, 2020

Hi everyone. I ran into a problem recently regarding github actions and it’s logs.
I need to run a cli command like how it’s available for aws. The parameters contain username and password.
What I did was, I created a JSON file with the username and password parameters, encrypted the same using GPG and stored the passphrase on github secrets.
In my workflow, I decrypted the same and to parse it I used:
content=cat $TMP/secret.json
content="{content//'%'/'%25'}" content="{content//'\n'/'%0A'}" content="{content//$’\r’/’%0D’}"
echo “::set-output name=json::$content”

To pass the username and password I used:
{{ fromJson(steps.var.outputs.json).username }} {{ fromJson(steps.var.outputs.json).password }}

The problem is when this expression gets evaluated it shows up in logs. To try and avoid this I did:
echo “::add-mask::{{ fromJson(steps.var.outputs.json).username }} echo "::set-output name=secret-username::{{ fromJson(steps.var.outputs.json).username }}”
echo “::add-mask::{{ fromJson(steps.var.outputs.json).password }}" echo "::set-output name=secret-password::{{ fromJson(steps.var.outputs.json).password }}”

Now in the CLI command the username and password seems to be masked, but still in the add-mask command it’s shown. It seems like expressions are evaluated and printed as commands before add-mask can register them.

Is there any workaround regarding the same?
My apologies regarding the long post.

Edit: I can’t seem to get the formatting right for the post. My apologies for that as well.

Answered by BrightRan

Aug 31, 2020

@ugam-paul ,

The following workaround should work:

Add the command lines you need to execute in a bash script file (e.g. mask.sh).

Execute the bash script in your workflow.

- name: mask secret
  id: mask
  run: |
    chmod +x ./mask.sh
    ./mask.sh

When “run” a bash script file, the command lines in the script file will not be printed in the logs.

Here is a example I tested on my side:

View full answer

BrightRan · 2020-08-27T02:16:12Z

BrightRan
Aug 27, 2020

@ugam-paul,

As a workaround to avoid the username and password are displayed in the logs before mask, you can manually add a multi-line secret that contains some strings or keywords you want to mask in the logs.
In this way, the strings or keywords in the logs will be hidden as long as they match any line you set in this secret.
For example:
Set a secret like as this.

add_secret929×446 12.6 KB

Then in the workflow, map this secret as a global (workflow level) environment variable.

. . .
env:
  SOME_SECRETS: ${{ secrets.SOME_SECRETS }}
jobs:

. . .

0 replies

ugam-paul · 2020-08-27T07:32:56Z

ugam-paul
Aug 27, 2020
Author

Hi @brightran. Thank you for your response.
While this is a good suggestion, it won’t work in my case as the secret could change and has to be dynamic. The only problem with the method I’m using is that expression evaluations show up in logs even if it is supposed to be masked. Since I’m using masking and expression evaluation in the same line.

echo “::add-mask::{{ fromJson(steps.var.outputs.json).username }}"

Anything else I could try regarding this case?

0 replies

BrightRan · 2020-08-28T08:11:21Z

BrightRan
Aug 28, 2020

@ugam-paul,

How about mask the whole json content?
I see you have this step,

echo “::set-output name=json::$content”

Maybe you can try to add this step to see if it work.

echo “::add-mask::{{ fromJson(steps.var.outputs.json) }}”

0 replies

ugam-paul · 2020-08-28T10:13:27Z

ugam-paul
Aug 28, 2020
Author

@brightran

Tried this way. While in the logs, github shows the line as
“::add-mask::Object”
In the subsequent line the credentials still show up.

0 replies

BrightRan · 2020-08-31T09:57:18Z

BrightRan
Aug 31, 2020

@ugam-paul ,

The following workaround should work:

Add the command lines you need to execute in a bash script file (e.g. mask.sh).

Execute the bash script in your workflow.

- name: mask secret
  id: mask
  run: |
    chmod +x ./mask.sh
    ./mask.sh

When “run” a bash script file, the command lines in the script file will not be printed in the logs.

Here is a example I tested on my side:

0 replies

ugam-paul · 2020-09-01T08:32:02Z

ugam-paul
Sep 1, 2020
Author

Hi @brightran!

This worked like a charm!
Thank you so much for the quick replies and an apt solution.

0 replies

BrightRan · 2020-09-01T09:32:59Z

BrightRan
Sep 1, 2020

You’re welcome, @ugam-paul .
And glad that my suggestion is helpful to you.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Github Actions Mask Expression #26032

{{title}}

Replies: 7 comments

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

GitHub Community

Github Actions Mask Expression #26032

ugam-paul Aug 26, 2020

Replies: 7 comments

BrightRan Aug 27, 2020

ugam-paul Aug 27, 2020 Author

BrightRan Aug 28, 2020

ugam-paul Aug 28, 2020 Author

BrightRan Aug 31, 2020

ugam-paul Sep 1, 2020 Author

BrightRan Sep 1, 2020

ugam-paul
Aug 26, 2020

BrightRan
Aug 27, 2020

ugam-paul
Aug 27, 2020
Author

BrightRan
Aug 28, 2020

ugam-paul
Aug 28, 2020
Author

BrightRan
Aug 31, 2020

ugam-paul
Sep 1, 2020
Author

BrightRan
Sep 1, 2020