GitHub server: improve security of sensitive information

[plocket]

We won't print any sensitive info, but we don't know what docassemble will print in its logs.

1. [By default], skip creating a docker log artifact. That way, users can be sure docassemble doesn't print any of their sensitive information in the GitHub artifact. Also echo that that artifacts are turned off and how to turn them on.
2. Instruct users to put their sensitive config strings in their GitHub secrets so that the information doesn't show in the job console either.
3. [By default], silence the job console docker output completely. echo how they can turn those logs on.

Edit:

Docs: because your config is a github secret, you won't be able to see it's value at all as GitHub will replace it with "***" even if you choose to show the logs. We'd need to implement this: You can use an action "variable" for your organization or your repository if you don't want the config to be hidden by github.

Maybe a question for a new issue: Instead of making an artifact, return the text of the docker log as an output? Still, avoid doing it by default, at least before turning off the logs, as that will show it in the console - whenever any bash command is run, all the output values are shown as env vars for some reason. I am concerned, though, that this output will show in the dev's own code unintentionally.

[plocket]

[This way doesn't work at all (not sure why or what it's actually supposed to do), but we found a different method of outputting bash commands to /dev/null.]

This might be a way to hide logs: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#stopping-and-starting-workflow-commands. I'm not sure if it actually stops all commands, though. According to the phind LLM, it can be used in between steps. This is what I've put together from the LLM:

name: Hide logs example
on: [push]

jobs:
  hide-logs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Generate unique token
        id: generate-token
        run: echo "::set-output name=token::$(openssl rand -hex 20)"

      - name: Stop processing commands
        if: ${{ env.HIDE_LOGS == 'true' }}
        run: echo "::stop-commands::${{ steps.generate-token.outputs.token }}"

      - name: Run step with hidden logs
        run: echo "This step's logs will not be shown."

      - name: Resume processing commands
        run: echo "::${{ steps.generate-token.outputs.token }}::"

The token should be a unique string each time.

I'm not sure phind is correct about being able to run it between steps. It might be necessary to run it in the same bash script [step] where we run the docker creation.

[plocket]

Right now the PR does log the config because that's a GitHub secret. If we revisit in future, here's probably a way to hide the config in the if: https://stackoverflow.com/questions/12363916/if-dev-null