actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Document how GitHub secrets work (#208)

Browse Source 
Fixes #207
This commit is contained in:
Seth Vargo 2022-08-08 11:46:38 -04:00 committed by GitHub
parent 8609d2cff4
commit acd8a2b487
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -127,6 +127,14 @@ risk.**
service account, you must grant the underlying service account service account, you must grant the underlying service account
`roles/iam.serviceAccountTokenCreator` permissions on itself. `roles/iam.serviceAccountTokenCreator` permissions on itself.
Note: we strongly advise that you "compress" your JSON into a single line
string before storing it in a GitHub Secret. When a GitHub Secret is used in
a GitHub Actions workflow, _each line_ of the secret is masked in log
output. This can lead to aggressive sanitization of benign characters like
curly braces (`{}`) and brackets (`[]`). See
[Troubleshooting](docs/TROUBLESHOOTING.md#aggressive-replacement) for more
information.
### Generating OAuth 2.0 access tokens ### Generating OAuth 2.0 access tokens
The following inputs are for _generating_ OAuth 2.0 access tokens for The following inputs are for _generating_ OAuth 2.0 access tokens for

21
docs/TROUBLESHOOTING.md
View File

@ -161,9 +161,30 @@ ways to fix this issue:
5. Push 5. Push
``` ```
<a name="aggressive-replacement"></a>
## Aggressive *** replacement in logs
When you use a [GitHub Actions secret][github-secrets] inside a workflow, _each_
line of the secret is masked in log output. This is controlled by GitHub, not
the `auth` action. We cannot change this behavior.
This can be problematic if your secret is a multi-line JSON string, since it
means curly braces (`{}`) and brackets (`[]`) will likely be replaced as `***`
in the GitHub Actions log output. To avoid this, remove all unnecessary
whitespace from the JSON and save the secret as a single-line JSON string. You
can convert a multi-line JSON document to a single-line manually or by using a
tool like `jq`:
```sh
cat credentials.json | jq -r tostring
```
[attribute-conditions]: https://cloud.google.com/iam/docs/workload-identity-federation#conditions [attribute-conditions]: https://cloud.google.com/iam/docs/workload-identity-federation#conditions
[sa-impersonation]: https://cloud.google.com/iam/docs/workload-identity-federation#impersonation [sa-impersonation]: https://cloud.google.com/iam/docs/workload-identity-federation#impersonation
[debug-logs]: https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging [debug-logs]: https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging
[iam-feedback]: https://cloud.google.com/iam/docs/getting-support [iam-feedback]: https://cloud.google.com/iam/docs/getting-support
[wif-byte-limit]: https://cloud.google.com/iam/docs/configuring-workload-identity-federation [wif-byte-limit]: https://cloud.google.com/iam/docs/configuring-workload-identity-federation
[cal]: https://cloud.google.com/logging/docs/audit/configure-data-access [cal]: https://cloud.google.com/logging/docs/audit/configure-data-access
[github-secrets]: https://docs.github.com/en/actions/security-guides/encrypted-secrets