Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add a "mask" param to hide secrets from http_url #26

Merged
merged 5 commits into from
May 26, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,19 @@ In `http` mode this can be anything. This can be any endpoint: a json, csv, txt,

A path to a local Deno javascript or typescript file for postprocessing the `downloaded_filename` file. Read more in the ["Postprocessing section"](https://github.com/githubocto/flat#postprocessing).

#### `mask` (optional)

If your `http_url` string contains secrets, you can choose to mask it from the commit message. You have two options:

**Option 1**: use a string boolean

`mask: true # removes the source entirely from the commit message, defaults to false`

**Option 2**: use a string array with each secret to mask

`mask: '["${{ secrets.SECRET1 }}", "${{ secrets.SECRET2 }}"]'`


### SQL Mode

#### `sql_connstring`
Expand Down
3 changes: 3 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ inputs:
http_url:
description: 'A URL containing data to fetch.'
required: false
mask:
description: 'A string array of secrets to strip from the http_url or a string boolean'
required: false
sql_connstring:
description: 'A connection string for making a SQL query.'
required: false
Expand Down
29 changes: 26 additions & 3 deletions dist/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,7 @@ const CommonConfigSchema = z.object({
const HTTPConfigSchema = z
.object({
http_url: z.string(),
mask: z.string().optional() // string array of secrets or boolean
})
.merge(CommonConfigSchema);
const SQLConfigSchema = z
Expand All @@ -247,12 +248,13 @@ function getConfig() {
const keys = [
'downloaded_filename',
'http_url',
'mask',
'sql_connstring',
'sql_queryfile',
'postprocess',
];
keys.forEach(k => {
const v = core.getInput(k);
const v = core.getInput(k); // getInput always returns a string
if (v) {
raw[k] = v;
}
Expand Down Expand Up @@ -449,9 +451,30 @@ async function run() {
core.startGroup('Fetch data');
let filename = '';
let source;
let shouldMask = false; // by default we don't mask the source
let sourceMasked = '';
if (config_1.isHTTPConfig(config)) {
filename = await http_1.default(config);
source = config.http_url;
// if including a mask config then we can strip out secrets from the http_url
sourceMasked = source; // if no secrets to mask then this is just source
if (config.mask) {
if (config.mask === 'true' || config.mask === 'false') { // mask param is a string
shouldMask = JSON.parse(config.mask); // convert to boolean
}
else {
try {
const maskArray = JSON.parse(config.mask);
maskArray.forEach((secretToMask) => {
const regex = new RegExp(secretToMask, "g");
sourceMasked = sourceMasked.replace(regex, "***");
});
}
catch (error) {
core.setFailed('Mask param formatted incorrectly. It should be a string array OR a "true" or "false" string.');
}
}
}
}
else if (config_1.isSQLConfig(config)) {
filename = await sql_1.default(config);
Expand Down Expand Up @@ -497,8 +520,8 @@ async function run() {
core.debug(`git adding ${filename}…`);
await exec_1.exec('git', ['add', filename]);
const bytes = await git_1.diff(filename);
// core.setOutput('delta_bytes', bytes)
editedFiles.push({ name: filename, deltaBytes: bytes, source });
const source = shouldMask ? {} : { source: sourceMasked };
editedFiles.push({ name: filename, deltaBytes: bytes, ...source });
}
core.endGroup();
core.startGroup('Committing new data');
Expand Down
2 changes: 1 addition & 1 deletion dist/index.js.map

Large diffs are not rendered by default.

Loading