rlespinasse
Don't dump env to the console for every slug
Describe the bug
For every slug value, rlespinasse/slugify-value is run, which dumps the entire env to the console. Not only this clutters the console, it is also a major security risk as there may be sensitive information stored in environment variables.
To Reproduce N/A
Expected behavior
Don't dump env to the console unless asked for. It seems this behavior can be controlled by publish-env, but this parameter is not available to the slug action.
Screenshots
Run rlespinasse/[email protected]
with:
key: GITHUB_REPOSITORY_NAME_PART
value: grpc-test
slug-maxlength: 63
publish-env: true
env:
GITHUB_REPOSITORY: asarkar/grpc-test
...dozens more
The dump in the console is due to the runner's internals; I don't have control over that.
I will think about an improvement to avoid the excess logs due to the current implementation of this action.
The logs show only the environment variables added during the job steps, not the environment variables or secrets defined at your project levels.
See the project secrets and variables defined but not displayed in the console (of the first image)
The dump in the console is due to the runner's internals; I don't have control over that.
I’m no Linux super user, but perhaps command tracing is turned on? https://superuser.com/q/806599
The logs show only the environment variables added during the job steps
That’s what I’m talking about as well. A common example is publishing artifacts/Docker images, which requires credentials to be set as env vars. These are fetched from secrets and set as env vars in the publishing step, and the console dump certainly includes those.
Luckily, GitHub masks values fetched from secrets, but there are limitation to that, which I don’t want to go into for security reasons.