Job output contains a secret

Hello,

in my workflow I have a preparatory job that reads a settings file from repository and creates dynamic outputs from that. It creates a dynamic matrix for subsequent jobs, gets the ImageNameRoot which I use when creating Docker image name for uploading to Github Packages (the whole name then looks like docker.pkg.github.com/${ user }/${ repository }/${ ImageNameRoot }${ ImageType }:${ Version }).

I also have in my repository secrets storage vault stored login and password to third party services. It just so happens that the login is subset of ImageNameRoot, i.e the login sequence of characters is wholly included in ImageNameRoot sequence of characters. (Let me reiterate that everybody who looks at the workflow/repository can find out what the ImageNameRoot is.)

Now I discovered, that during run of the preparatory job, there was a yellow windows (I don’t have it stored and as I re-ran the workflow, it disappeared) informing me that the job output can contain a secret and it was redacted. Problem is, the ImageNameRoot output become empty string. Given that I use this name as a Github Package name, it would create and upload a newly named package. (Fortunately, I was watching it and stopped it in time. It is a public repository, so I wouldn’t be able to delete this package.)

I consider it a pretty severe bug. What I would expect to happen is to either fail on the preparatory job stage when it cannot export an output or to actually ascertain that the output is not from secrets vault and do nothing, i.e. don’t redact. But in no way to output an empty string. (As it is now the Github Actions logic actually has negative output on security, as it tells everybody what is the content of given secret.)

So far I changed (deleted) the third party login/password service. But can I do anything else about it?

I cannot store the 3rd party login in repository, as it would clash against the fork+work+pull flow (every developer can/needs to have his own login/password combination in repository). The image’s names are the same for everybody, as these are just tester runners and are separated from each other by the ${ user }/${ repository } combination.

(The actual workflow is this.)

Thank you.

Hi @cerna ,

Thank you for reaching this out! I checked your workflow yaml, the ImageNameRoot  output value comes from ‘./machinekit-hal/scripts/debian-distro-settings.json’, however not any secrets related. The output value is displayed on the printf command.

outputvalue.png

For ouput value, it will always display value in logs, it’s a limitation that cannot avoid data leaking with it.

If you include secrets in the output value, it’s by designed that empty will display, checked on my side as below:

outputsecrets.png

Please still avoid printing secrets to the log intentionally.

Thanks.