starred/act

Fork 0

mirror of https://github.com/nektos/act.git synced 2026-04-26 01:15:51 +03:00

[GH-ISSUE #1601] Multiline secret workaround logging sensitive information #803

New issue

Closed

opened 2026-03-01 21:46:30 +03:00 by kerem · 1 comment

kerem commented

2026-03-01 21:46:30 +03:00

Owner

Originally created by @mryhmln on GitHub (Feb 2, 2023).
Original GitHub issue: https://github.com/nektos/act/issues/1601

Bug report info

act version:            0.2.42
GOOS:                   darwin
GOARCH:                 arm64
NumCPU:                 8
Docker host:            DOCKER_HOST environment variable is unset/empty.
Sockets found:
        /var/run/docker.sock
        /Users/mhamlin@codeforamerica.org/.docker/run/docker.sock
Config files:           
        /Users/mhamlin@codeforamerica.org/.actrc:
                -P ubuntu-latest=catthehacker/ubuntu:act-latest
                -P ubuntu-22.04=catthehacker/ubuntu:act-22.04
                -P ubuntu-20.04=catthehacker/ubuntu:act-20.04
                -P ubuntu-18.04=catthehacker/ubuntu:act-18.04
                --container-architecture linux/amd64

Build info:
        Go version:            go1.19.5
        Module path:           command-line-arguments
        Main version:          
        Main path:             
        Main checksum:         
        Build settings:
                -compiler:            gc
                -ldflags:             -X main.version=0.2.42
                CGO_ENABLED:          1
                CGO_CFLAGS:           
                CGO_CPPFLAGS:         
                CGO_CXXFLAGS:         
                CGO_LDFLAGS:          
                GOARCH:               arm64
                GOOS:                 darwin
Docker Engine:
        Engine version:        20.10.22
        Engine runtime:        runc
        Cgroup version:        2
        Cgroup driver:         cgroupfs
        Storage driver:        overlay2
        Registry URI:          https://index.docker.io/v1/
        OS:                    Docker Desktop
        OS type:               linux
        OS version:            
        OS arch:               aarch64
        OS kernel:             5.15.49-linuxkit
        OS CPU:                4
        OS memory:             7851 MB
        Security options:
                name=seccomp,profile=default
                name=cgroupns

Command used with act

act --secret-file .dev.secrets --env-file .dev.env -s TWILIO_CRT="$(< .dev.twilio_crt.secrets)"

Describe issue

I just tried the workaround for using a multiline secret as described in issue #123. Act did manage to pull in the secret value, but then inside my GitHub Actions Workflow where I am calling a Bash script to pass in the value, it's logging the unobfuscated version of the value instead of "***", as it typically does with secret values.

I included a relevant portion of the output log file. Also note that my .dev.twilio_crt.secrets file contains my multiline secret value and both .dev.secrets and .dev env contain standard single-line environment/secret values.

Link to GitHub repository

No response

Workflow content

name: Hello World

on:
  push:

jobs:
  hello:
    runs-on: ubuntu-latest
    steps:
        - uses: actions/checkout@v3
        - run: sudo apt-get update 
        - run: sudo apt install -y moreutils
        - run: sudo apt install -y gettext-base
        - run: sudo apt install -y jq
        - run: .github/scripts/envsubst.sh '${{ toJSON(env) }}'
        - run: .github/scripts/envsubst.sh '${{ toJSON(secrets) }}'

Relevant log output

[Hello World/hello]   ✅  Success - Main .github/scripts/envsubst.sh '{
  "TWILIO_API_KEY_SECRET": "***",
  "TWILIO_API_KEY_SID": "***",
  "TWILIO_CRT": "-----BEGIN CERTIFICATE-----\nMIIEhDCCA2ygAwIBAgI... BLAH BLAH BLAH... mT2hEB/siFs=\n-----END CERTIFICATE-----"
}'

Additional information

Here's the contents of my envsubst Bash script:

# Package Dependencies: 
#   sponge: apt install -y moreutils
#   envsubst: apt install -y gettext-base
#   jq: apt install -y jq
# Usage: ./envsubst.sh '{"API_KEY_SID": "1", "API_KEY_SECRET": "2"}'
#   -where the input argument is expected to be a simple json object 
# Example: ./envsubst.sh '{"SOME_KEY_1": "SOME_VALUE_1", "SOME_KEY_2": "SOME_VALUE_2"}'

# Export input json object's properties (key/value pairs) as local environment variables. 
# Note: Take care to avoid exposing any sensitive values, e.g. writing them to log files

echo $1

for s in $(echo $1 | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]"); do
    echo $s
    export $s
done

printenv

# Replace environment variable place holders in project files with their actual values (ignore hidden files and folders)
for i in $(find . -type f ! -name ".*" ! -path './.*' -print0 | xargs -0); do
    envsubst < $i | sponge $i
done

cat ./force-app/main/default/namedCredentials/Twilio.namedCredential-meta.xml
cat ./force-app/main/default/certs/Twilio.crt

Originally created by @mryhmln on GitHub (Feb 2, 2023). Original GitHub issue: https://github.com/nektos/act/issues/1601 ### Bug report info ```plain text act version: 0.2.42 GOOS: darwin GOARCH: arm64 NumCPU: 8 Docker host: DOCKER_HOST environment variable is unset/empty. Sockets found: /var/run/docker.sock /Users/mhamlin@codeforamerica.org/.docker/run/docker.sock Config files: /Users/mhamlin@codeforamerica.org/.actrc: -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 --container-architecture linux/amd64 Build info: Go version: go1.19.5 Module path: command-line-arguments Main version: Main path: Main checksum: Build settings: -compiler: gc -ldflags: -X main.version=0.2.42 CGO_ENABLED: 1 CGO_CFLAGS: CGO_CPPFLAGS: CGO_CXXFLAGS: CGO_LDFLAGS: GOARCH: arm64 GOOS: darwin Docker Engine: Engine version: 20.10.22 Engine runtime: runc Cgroup version: 2 Cgroup driver: cgroupfs Storage driver: overlay2 Registry URI: https://index.docker.io/v1/ OS: Docker Desktop OS type: linux OS version: OS arch: aarch64 OS kernel: 5.15.49-linuxkit OS CPU: 4 OS memory: 7851 MB Security options: name=seccomp,profile=default name=cgroupns ``` ### Command used with act ```sh act --secret-file .dev.secrets --env-file .dev.env -s TWILIO_CRT="$(< .dev.twilio_crt.secrets)" ``` ### Describe issue I just tried the workaround for using a multiline secret as described in issue #123. Act did manage to pull in the secret value, but then inside my GitHub Actions Workflow where I am calling a Bash script to pass in the value, it's logging the unobfuscated version of the value instead of "***", as it typically does with secret values. I included a relevant portion of the output log file. Also note that my .dev.twilio_crt.secrets file contains my multiline secret value and both .dev.secrets and .dev env contain standard single-line environment/secret values. ### Link to GitHub repository _No response_ ### Workflow content ```yml name: Hello World on: push: jobs: hello: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - run: sudo apt-get update - run: sudo apt install -y moreutils - run: sudo apt install -y gettext-base - run: sudo apt install -y jq - run: .github/scripts/envsubst.sh '${{ toJSON(env) }}' - run: .github/scripts/envsubst.sh '${{ toJSON(secrets) }}' ``` ### Relevant log output ```sh [Hello World/hello] ✅ Success - Main .github/scripts/envsubst.sh '{ "TWILIO_API_KEY_SECRET": "***", "TWILIO_API_KEY_SID": "***", "TWILIO_CRT": "-----BEGIN CERTIFICATE-----\nMIIEhDCCA2ygAwIBAgI... BLAH BLAH BLAH... mT2hEB/siFs=\n-----END CERTIFICATE-----" }' ``` ### Additional information Here's the contents of my envsubst Bash script: ``` # Package Dependencies: # sponge: apt install -y moreutils # envsubst: apt install -y gettext-base # jq: apt install -y jq # Usage: ./envsubst.sh '{"API_KEY_SID": "1", "API_KEY_SECRET": "2"}' # -where the input argument is expected to be a simple json object # Example: ./envsubst.sh '{"SOME_KEY_1": "SOME_VALUE_1", "SOME_KEY_2": "SOME_VALUE_2"}' # Export input json object's properties (key/value pairs) as local environment variables. # Note: Take care to avoid exposing any sensitive values, e.g. writing them to log files echo $1 for s in $(echo $1 | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]"); do echo $s export $s done printenv # Replace environment variable place holders in project files with their actual values (ignore hidden files and folders) for i in $(find . -type f ! -name ".*" ! -path './.*' -print0 | xargs -0); do envsubst < $i | sponge $i done cat ./force-app/main/default/namedCredentials/Twilio.namedCredential-meta.xml cat ./force-app/main/default/certs/Twilio.crt ```

kerem

2026-03-01 21:46:30 +03:00

closed this issue
added the
stale

kind/bug
labels

kerem commented

2026-03-01 21:46:31 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Aug 2, 2023):

Issue is stale and will be closed in 14 days unless there is new activity

@github-actions[bot] commented on GitHub (Aug 2, 2023): Issue is stale and will be closed in 14 days unless there is new activity

kerem referenced this issue

2026-03-01 21:51:57 +03:00

[PR #803] [MERGED] build(deps): bump github.com/AlecAivazis/survey/v2 from 2.2.7 to 2.3.1 #1618

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#803

No description provided.

Rows
Columns