jfrog
Remove improper use of setSecret for username in OIDC utils
Is your feature request related to a problem? Please describe.
Currently, the code marks the username as a secret using core.setSecret(username) in setOidcStepOutputs (src/oidc-utils.ts). Usernames are generally not sensitive information, and marking them as secrets can result in unnecessary log obfuscation and confusion. User name can be used as part of many other not sensitive names used in the workflow.
Describe the solution you'd like to see
Remove the call to core.setSecret(username) from the setOidcStepOutputs function and only mark truly sensitive values such as tokens and passwords as secrets. If the username is ever sensitive, ensure that is a documented exception.
Describe alternatives you've considered
- Leaving the code as-is, which may lead to unnecessary log redactions for non-sensitive values.
- Adding a comment to clarify when a username should be treated as a secret (if ever).
Additional context
Reference: https://github.com/jfrog/setup-jfrog-cli/blob/29fa5190a4123350e81e2a2e8d803b2a27fed15e/src/oidc-utils.ts#L160
This incorrect masking causes a problem in the following scenario:
- Artifactory service account is named after the service
- The name of the service is passed as an input when calling another workflow using the
workflow_calltrigger
This causes GitHub to skip this input when executing the workflow_call. A warning is logged in the caller workflow, but, as it is only a warning, not an error, it is not immediately obvious that this is the cause of an error in the called workflow. The callee simply proceeds with an empty string value.
Warning: Skip output 'service-name' since it may contain secret.
This seems like a duplicate of https://github.com/jfrog/setup-jfrog-cli/issues/207
---EDIT---
eh, nevermind. not quite a duplicate. but similar.
