Skip to content

Commit 02047e7

Browse files
crazy-maxcrazy-max
committed
enforce secrets input value as registered secret
Signed-off-by: CrazyMax <[email protected]>
1 parent 84ad562 commit 02047e7

File tree

3 files changed

+33
-17
lines changed

3 files changed

+33
-17
lines changed

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"packageManager": "[email protected]",
2828
"dependencies": {
2929
"@actions/core": "^1.11.1",
30-
"@docker/actions-toolkit": "0.56.0",
30+
"@docker/actions-toolkit": "https://github.com/crazy-max/docker-actions-toolkit#secret-enforce-redact-test",
3131
"handlebars": "^4.7.7"
3232
},
3333
"devDependencies": {

src/context.ts

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ export async function getInputs(): Promise<Inputs> {
6969
pull: core.getBooleanInput('pull'),
7070
push: core.getBooleanInput('push'),
7171
sbom: core.getInput('sbom'),
72-
secrets: Util.getInputList('secrets', {ignoreComma: true}),
72+
secrets: getSecretsInput(),
7373
'secret-envs': Util.getInputList('secret-envs'),
7474
'secret-files': Util.getInputList('secret-files', {ignoreComma: true}),
7575
'shm-size': core.getInput('shm-size'),
@@ -296,3 +296,19 @@ async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
296296

297297
return args;
298298
}
299+
300+
function getSecretsInput(): string[] {
301+
const secrets = Util.getInputList('secrets', {ignoreComma: true});
302+
303+
// enforce value as registered GitHub Secret
304+
for (const secret of secrets) {
305+
try {
306+
// eslint-disable-next-line @typescript-eslint/no-unused-vars
307+
const [_, value] = Build.parseSecretKvp(secret, true);
308+
} catch (err) {
309+
// ignore invalid secret
310+
}
311+
}
312+
313+
return secrets;
314+
}

yarn.lock

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,9 @@ __metadata:
1212
languageName: node
1313
linkType: hard
1414

15-
"@actions/artifact@npm:^2.2.2":
16-
version: 2.2.2
17-
resolution: "@actions/artifact@npm:2.2.2"
15+
"@actions/artifact@npm:^2.3.2":
16+
version: 2.3.2
17+
resolution: "@actions/artifact@npm:2.3.2"
1818
dependencies:
1919
"@actions/core": ^1.10.0
2020
"@actions/github": ^5.1.1
@@ -28,13 +28,13 @@ __metadata:
2828
archiver: ^7.0.1
2929
jwt-decode: ^3.1.2
3030
unzip-stream: ^0.3.1
31-
checksum: 1501b3d0ceb671f370786ccf70014de9586c5a78c95d235248fc16c73bf928f8de2aa932a679258f6d9bc2f2e570648d830551af9f063298f05d19f3330b33bc
31+
checksum: 78ee41b43800accb2f3527e1733217c43d53693e7f96ce2470b16890fb84f5c2ebaaa6048ccdb6cfe188b54c02779ec99623c6932558e757f6829cfde203cf2c
3232
languageName: node
3333
linkType: hard
3434

35-
"@actions/cache@npm:^4.0.2":
36-
version: 4.0.2
37-
resolution: "@actions/cache@npm:4.0.2"
35+
"@actions/cache@npm:^4.0.3":
36+
version: 4.0.3
37+
resolution: "@actions/cache@npm:4.0.3"
3838
dependencies:
3939
"@actions/core": ^1.11.1
4040
"@actions/exec": ^1.0.1
@@ -46,7 +46,7 @@ __metadata:
4646
"@azure/storage-blob": ^12.13.0
4747
"@protobuf-ts/plugin": ^2.9.4
4848
semver: ^6.3.1
49-
checksum: 208f11238a26194f331b329bb99d50a87c1a3ccef1dbae181e5c142b3faf41715203e0c5cbc491519d3d97540a68fbd418c25fb6e16caabf76248c40867c02b4
49+
checksum: ee9c2a21a70bd3f35c63f302af478e23f135c26deb77ea2e4eed29c62766a4b201fc7435651c0d56fa504c02d203107e3bdfda1dba18a3ee09338e1dfc3f2fe8
5050
languageName: node
5151
linkType: hard
5252

@@ -1072,12 +1072,12 @@ __metadata:
10721072
languageName: node
10731073
linkType: hard
10741074

1075-
"@docker/actions-toolkit@npm:0.56.0":
1076-
version: 0.56.0
1077-
resolution: "@docker/actions-toolkit@npm:0.56.0"
1075+
"@docker/actions-toolkit@https://github.com/crazy-max/docker-actions-toolkit#secret-enforce-redact-test":
1076+
version: 0.0.0+unknown
1077+
resolution: "@docker/actions-toolkit@https://github.com/crazy-max/docker-actions-toolkit.git#commit=222f5b3354ec41cd22ed7c0f2f9e510bd90ccc3c"
10781078
dependencies:
1079-
"@actions/artifact": ^2.2.2
1080-
"@actions/cache": ^4.0.2
1079+
"@actions/artifact": ^2.3.2
1080+
"@actions/cache": ^4.0.3
10811081
"@actions/core": ^1.11.1
10821082
"@actions/exec": ^1.1.1
10831083
"@actions/github": ^6.0.0
@@ -1097,7 +1097,7 @@ __metadata:
10971097
semver: ^7.7.1
10981098
tar-stream: ^3.1.7
10991099
tmp: ^0.2.3
1100-
checksum: 0f1b569f8bb206399f8c26e566c78e30e4a311bbd64486016e7fa1d35fbbb4c94d4f55afa6b711afa4b41c5835b40b038f48c3d1bfdfdc6f7c6680973e922d9e
1100+
checksum: d1b0b8f868d838f4f02a172c2dc34ae2855a6047efba739e68b693e129480b295b4059ba5802abfe9d3b1d62e794fccc408a2961720e9ff13b8b9db6c89bf085
11011101
languageName: node
11021102
linkType: hard
11031103

@@ -3143,7 +3143,7 @@ __metadata:
31433143
resolution: "docker-build-push@workspace:."
31443144
dependencies:
31453145
"@actions/core": ^1.11.1
3146-
"@docker/actions-toolkit": 0.56.0
3146+
"@docker/actions-toolkit": "https://github.com/crazy-max/docker-actions-toolkit#secret-enforce-redact-test"
31473147
"@types/node": ^20.12.12
31483148
"@typescript-eslint/eslint-plugin": ^7.9.0
31493149
"@typescript-eslint/parser": ^7.9.0

0 commit comments

Comments
 (0)