docs: update README and logging with information on new mask-password…

… input
aws-actions · Aug 8, 2023 · 1989bce · 1989bce
1 parent 98f33d2
commit 1989bce
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 28 deletions.
diff --git a/README.md b/README.md
@@ -55,28 +55,6 @@ Logs in the local Docker client to one or more Amazon ECR Private registries or
           docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
 ```
 
-#### Login to Amazon ECR Private, then build and push a Docker image masking the password:
-
-> [!WARNING]
-> Setting mask-password to true will prevent the password GitHub output from being shared between separate jobs.
-
-```yaml
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v1
-        with:
-          mask-password: 'true'
-
-      - name: Build, tag, and push docker image to Amazon ECR
-        env:
-          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          REPOSITORY: my-ecr-repo
-          IMAGE_TAG: ${{ github.sha }}
-        run: |
-          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
-          docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
-```
-
 #### Login to Amazon ECR Public, then build and push a Docker image:
 ```yaml
       - name: Login to Amazon ECR Public
@@ -129,7 +107,9 @@ Logs in the local Docker client to one or more Amazon ECR Private registries or
           helm push $REPOSITORY-0.1.0.tgz oci://$REGISTRY/$REGISTRY_ALIAS
 ```
 
-(Helm uses the same credential store as Docker, so Helm can authenticate with the same credentials that you use for Docker)
+Helm uses the same credential store as Docker, so Helm can authenticate with the same credentials that you use for Docker
+
+### Other use-cases
 
 #### Login to ECR on multiple AWS accounts
 
@@ -153,9 +133,11 @@ The repository on account `998877665544` needs to explicitly grant access to rol
 Please refer to [AWS docs](https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/)
 for details on how to configure ECR policies
 
-### Using an image as a service
+#### Using an image as a service
+
+Login to Amazon ECR Private, then use the outputted Docker credentials to run your private image as a service in another job.
+For more information, see the [Docker Credentials](#docker-credentials) section below.
 
-Login to Amazon ECR Private, then use the outputted Docker credentials to run your private image as a service in another job
 ```yaml
 jobs:
   login-to-amazon-ecr:
@@ -192,6 +174,20 @@ jobs:
         run: echo "run steps in container"
 ```
 
+#### Login to Amazon ECR Private while masking the password:
+
+> [!WARNING]
+> Setting `mask-password` to `'true'` will prevent the Docker password output from being shared between separate jobs.
+> For more information, see the [Docker Credentials](#docker-credentials) section below.
+
+```yaml
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+        with:
+          mask-password: 'true'
+```
+
 See [action.yml](action.yml) for the full documentation for this action's inputs and outputs.
 
 ## Credentials
@@ -232,7 +228,12 @@ If using ECR Public:
 - Docker username output: `docker_username_public_ecr_aws`
 - Docker password output: `docker_password_public_ecr_aws`
 
-To push Helm charts, you can also login through Docker. By default, Helm can authenticate with the same credentials that you use for Docker.
+> [!IMPORTANT]
+> If you are not using the Docker credential outputs, make sure the `mask-password` input is set to `'true'`.
+> This masks your Docker password and prevents it from being printed to the action logs if you [enable debug logging](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging).
+> 
+> If you are using the Docker credential outputs, make sure the `mask-password` input is not set or set to `'false'`.
+> Masked values cannot be passed to separate jobs (see [this issue](https://github.com/actions/runner/issues/1498#issuecomment-1066836352)).
 
 ## Self-Hosted Runners
 

diff --git a/action.yml b/action.yml
@@ -10,8 +10,8 @@ inputs:
     required: false
   mask-password:
     description: >-
-      Mask the docker password to prevent it being printed to logs to std-out. This will prevent the
-      password GitHub output from being shared between separate jobs.
+      Mask the docker password to prevent it being printed to action logs if debug logging is enabled.
+      NOTE: This will prevent the Docker password output from being shared between separate jobs.
       Options: ['true', 'false']
     required: false
     default: 'false'

diff --git a/index.js b/index.js
@@ -118,6 +118,12 @@ async function run() {
       throw new Error(`Invalid input for '${INPUTS.registryType}', possible options are [${REGISTRY_TYPES.private}, ${REGISTRY_TYPES.public}]`);
     }
 
+    // Notify customer if they don't have their password masked
+    if (!maskPassword) {
+      core.warning('Your docker password is not masked. See https://github.com/aws-actions/amazon-ecr-login#docker-credentials ' +
+        'for more information.')
+    }
+
     // Configures proxy
     const httpsProxyAgent = configureProxy(httpProxy);