dealing safely with (multiline) secrets
dionysius opened this issue · 0 comments
I wanted to pass a gpg private key to the action but I cannot do that safely. I'm kinda addressing two issues: multiline strings and secrets.
A pgp private key looks like this:
-----BEGIN PGP PRIVATE KEY BLOCK-----
xxxx
xxxx
xxxx
...
-----END PGP PRIVATE KEY BLOCK-----
The only way to pass variables (and secrets) to the action is using the env property:
env: |
someenv: "${{ env.someenv }}"
somesecret: "${{ secrets.somesecret }}"
But this way will lead to the yaml error Multi-line double-quoted string needs to be sufficiently indented. It wouldn't matter if I do somesecret: |, since the indention is still wrong.
I'm also not allowed to manipulate the secret as it would make the secret possibly visible in the workflow, since it has been altered and the log detection cannot redact it anymore.
See https://docs.github.com/en/github-ae@latest/actions/security-guides/security-hardening-for-github-actions#using-secrets):
To help prevent accidental disclosure, GitHub AE uses a mechanism that attempts to redact any secrets that appear in run logs. This redaction looks for exact matches of any configured secrets, as well as common encodings of the values, such as Base64.
I could make use of the base64 feature (accidentally a feature of gha) or maybe write a file beforehand and mount it (unsure safeness). But if anyone is not careful secrets could be exposed.
Addressing issues:
- requiring the
envproperty to be a yaml document is difficult to work with multiline strings. I'd rather see this to be a map - requesting separate property map for secrets to be handled and passed to the container accordingly careful
Would be excellent if this is addressed for v3, since I'm proposing here usage changes