CumulusCI icon indicating copy to clipboard operation
CumulusCI copied to clipboard

Published 20 hours ago verified publisher icon SFDO-Tooling

Ability to Hide Option Values When Using Task Options In a Task or Flow Run

Open Julian88Tex opened this issue 2 years ago • 3 comments

Feature Type

I'm interested in extensions to existing CumulusCI functionality (e.g., broader applicability of an existing Task or Flow).

Does your feature request solve a current problem?

For some tasks, secrets may need to be passed in. In order to prevent exposure in logs, it would be helpful to have an option to hide the values being sent to tasks.

Currently a command like this: cci flow run dev_org -o robot__vars AUTH_PROVIDER_SECRET:MY_EXOPSED_SECRET

Would result in a log that looks similar to this:

                    ------------------------------------------------------------                       
                    Running task: robot                                                                
                    ------------------------------------------------------------                       
                                                                                                       
                    Options:                                                                           
                      suites:                                                                          
                        - utils/enable_history/enable_history.robot                                    
                      vars:                                                                            
                        - AUTH_PROVIDER_SECRET:MY_EXOPSED_SECRET

Describe the solution you'd like

Example of what it may look like in logs while task/flow is running:

                    ------------------------------------------------------------                       
                    Running task: robot                                                                
                    ------------------------------------------------------------                       
                                                                                                       
                    Options:                                                                           
                      suites:                                                                          
                        - utils/enable_history/enable_history.robot                                    
                      vars:                                                                            
                        - AUTH_PROVIDER_SECRET:*****

Describe alternatives you've considered

The only workaround I can think of when running this in a CI is to manually add these secrets to the tool's secret list. Features like Github Actions will officiate secrets that match, but this would not be sustainable if secrets are being pulled dynamically.

Additional context

No response

Julian88Tex avatar Apr 18 '22 04:04 Julian88Tex

This actually has turned into a blocker for me to use CCI in Github Actions while passing secrets in a variable since multi-line secrets are not able to be easily masked.

Screen Shot 2022-04-20 at 5 27 59 PM

Julian88Tex avatar Apr 21 '22 00:04 Julian88Tex

Secrets are generally best handled by environment variables.

https://robotframework.org/robotframework/latest/libraries/OperatingSystem.html#Get%20Environment%20Variable

Does that work for you?

prescod avatar Apr 21 '22 18:04 prescod

@prescod hm, I'm still learning about scope and subshells... I was having some issues first saving them in one step and then accessing them in another since they are running in separate shells rights?

Julian88Tex avatar Apr 21 '22 21:04 Julian88Tex