-password flag in bash command being replaced by -***

I don’t get why Actions is totally replacing my password flag here with -*** instead of password="test123"

- run: ./flyway -q -url="jdbc:postgresql://11.222.333.444:5432/postgres" -user="postgres" -password="test123" -locations="filesystem:src/graphql/DB/pgMem/migrations" info

When it runs, I see Run ./flyway -q -url="jdbc:postgresql://11.222.333.444:5432/postgres" -user="postgres" -*** -locations="filesystem:src/graphql/DB/pgMem/migrations" info

Why is it that all other flags are fine but this one?

1 Like

@dschinkel well the only thing being redacted is something that looks like a password.
So I suspect this is GitHub trying to help prevent accidental disclosure, GitHub uses a mechanism that attempts to redact any secrets that appear in run logs. This redaction looks for exact matches of any configured secrets, as well as common encodings of the values, such as Base64. However, because there are multiple ways a secret value can be transformed, this redaction is not guaranteed
There does not seem to a lot of information on this but the information I quoted above is at the following reference security-hardening-for-github-actions
Redaction of possible secrets from logs is a common feature of many CI/CD and other products

yea but it doesn’t matter if it’s hard coded or I use a github secret. The crux of the problem is that for some reason the flag password is being transformed due to a malformed string or something. The hard coded password above is not what’s in my real yml, but I’ve tried both using a secret and hard coding it just to see if I could fix this, and neither makes any difference, I still have the same issue.

Here’s another example, you can see that it’s totally malformed once it runs. The username doesn’t even come through so it’s sending null (not because of the secret, because of this string)

- run: ./flyway -q -url="jdbc:postgresql:///${{secrets.DB_NAME}}?cloudSqlInstance=${{secrets.CLOUD_SQL_CONNECTION_NAME}}&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=${{secrets.DB_USER}}&password=${{secrets.DB_PASS}}" -locations="filesystem:src/graphql/DB/pgMem/migrations" info

everything is malformed on so many places. You can see jdbc:***ql and user=***&*** which is totally not what the original command looks like.

@dschinkel, apologies I see from your reply that your problem is not just redaction from a log but actual values passed being malformed at runtime, I don’t have ab answer for that.