Secret value leaked in Github Action logs #13
Comments
somethingnew2-0
added a commit
to somethingnew2-0/SimpleCSPM
that referenced
this issue
Oct 22, 2021
Do not use this Github Action as it leaks the `clasp` secrets in the publicly accessible Github Action workflow logs. See ericanastas/deploy-google-app-script-action#1 and hmanzur/actions-set-secret#13 for more details.
somethingnew2-0
added a commit
to somethingnew2-0/SimpleCSPM
that referenced
this issue
Oct 22, 2021
Do not use this Github Action as it leaks the `clasp` secrets in the publicly accessible Github Action workflow logs. See ericanastas/deploy-google-app-script-action#1 and hmanzur/actions-set-secret#13 for more details.
|
You're looking for the |
calexander3
pushed a commit
to TonicAI/github-actions-set-secret
that referenced
this issue
Apr 5, 2024
chore: update to node20
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using this Github Action, the secret value to be set as an input is logged in the Github Action logs that is publicly accessible to anyone logged into Github for public Github repositories.
For example in the Github Action logs it looks like:
I do not know of a workaround to redact this information from Github Action logs as it appears that only secrets specified as inputs like
{{ secrets.MY_REPOSITORY_SECRET }}will be properly redacted which unfortunately defeats the purpose of this module.My recommendation is that no one should use this Github Action module unless their Github Action logs are properly protected, redacted, or has a minimal retention window of 0 days.
See ericanastas/deploy-google-app-script-action#1 for more details
The text was updated successfully, but these errors were encountered: