Find Your Tracks What to do to cover things in GitHub Action Logs (r)
Share this on
The drawback to using of GitHub actions is the files you upload are made publicly accessible. That means anyone has access to them, with all the necessary permissions.
To ensure that sensitive information is not being disclosed in GitHub Actions logs, you need to use encrypted variables in your system to guard the sensitive data. These encrypted environmental variables can also be identified as GitHub Actions Secrets.
This article shows you how you can utilize GitHub Actions Secrets to prevent sensitive information from being recorded on the GitHub Actions logs.
Prerequisites:
For more information, follow the following tutorial:
- Already have a GitHub repository. In this guide, you'll be allowed to download this demonstration repository.
- Follow these steps and follow these steps to complete these steps in order to make connections to the demo repository..
How to Protect the Activity Logs of GitHub Private
When you design workflows using GitHub Actions, any visitor to your repository is able to see the logs. Therefore, they shouldn't include sensitive information. It's still not enough to delete your passwords, tokens, or other information that you consider personal because you require the information for testing and to allow your application to function properly.
It is possible to conceal them by using this add-mask
workflow command. The command puts an underscore (*) over the data it's applying to.
In the next section, we will show you how you can mask the log.
How do you hide logs
First, open the repository that you have cloned using the text editor you have installed.
In the .github/workflowsin the.github/workflows directory within the base of your repository for the purpose of storing the workflow documents. Create a brand-new file named hide-secrets.yml in the .github/workflows directory and add the following code to the file:
name: Hide Sensitive Informationabout: Push Jobs Print-secret-tokenruns-on: ubuntu-latest steps: - name echoing a secretrun: echo "your secret token is extremelySecretToken"
After that, commit the changes and save the modifications to the GitHub repository. The new GitHub Actions workflow is now in effect and will trigger every time you upload a new change.
Visit your repository on GitHub and then click the actions tab for a review of the logs. The way your workflow appears should be as follows:
If you go through the logs of workflows You'll see that there is a verySecretToken
string printed on the logs. Click on your workflow, and then click on the name of the task ( print-secret-token) to see the log. It should look like this:
To cover it, run the add-mask
command, edit the hide-secrets.yml file, and then add a method in the printing-secret-token
task:
name: Hide Sensitive Information on: push jobs: print-secret-token: runs-on: ubuntu-latest steps: - name: Add Mask run: echo "::add-mask::verySecretToken" - name: echo a secret run: echo "your secret token is verySecretToken"
It is recommended that you add it to the the add mask
procedure in the middle, since masking is only performed only after the process of adding mask
is complete. If you add your secret verySecretToken
ahead of you go through the Add Mask
procedure, the secret will not be hidden. Therefore, in order to make sure that your value is masking, you should apply the the add-mask procedure
as soon as possible.
When you have committed and uploaded the modifications to your GitHub repository, the message verySecretToken
is replaced with an asterisk (*) as it appears in your logs.
Additionally, it fixes the issue of masking however, it also introduces a brand new one. Your verySecretToken
is kept inside the file for workflow. Therefore, anyone who has access to the source code is able to see the file.
Another downside that masking text clearly has is the fact that masking just a small portion of a phrase can conceal each and every word. Take, for instance, this sentence: "Programming is great, but my most productive days are those in which I'm not writing programs." If you block the term "program," it won't just hide it at the bottom of the sentence, but anywhere else it appears like it is "programming."
If you are trying to hide the font you're using, it will appear to be looking similar to:
The best method of hiding sensitive information in GitHub Actions logs is to make use of GitHub Actions Secrets, as described in the following section.
How To Utilize GitHub Actions Secrets
It's possible to utilize GitHub Actions Secrets to store any personal data you would like to include in your GitHub action workflow. Secrets are created using keys and values at the level of repository, either organizational or.
It is possible that the repository will be restricted to accessing secrets only if they were made on the level of an organisation, but the secrets that are that are created on an organizational level are made available to all repositories within an organization.
Secrets you create at the repository level can be accessed and used for any action of any collaborate role authorizations. The value of the secrets you have made at any point. However, secrets cannot be utilized with workflows created that are created from a repository which is not forked.
The following rules will apply to naming secrets:
- Secret names can't contain spaces.
- Names that are secret don't require to be capitalized.
- The secret names cannot be used to be a name that begins with a number.
- Secret names shouldn't begin by a prefix
GITHUB_
. - Secret names need to be unique and secrets that have the same name can't be found on the same level.
You can use these secrets within the GitHub actions workflow simply by generating secret information
before your secret names as the YML variable, as shown below:
$ secrets.MY_SECRET_TOKEN
You can also cover up secret data to improve security. This is illustrated in the section below.
How to Mask Secrets
The first thing to do is create your personal GitHub secret. In your repository on GitHub navigate to the Settings tab in which you will be able to select the secretand optionsfrom the left-hand sidebar and then click Make an account secret to add a new secret.
Choose a secret identity as well as the secret number, and then press to create an additional secret:
Now that you've created your own secret and set it to the Secret symbol
value, you're capable of using it within your workflow document. Go to the hide-secrets.yml file and make the following changes:
name: Hide Sensitive Information on: push jobs: print-secret-token: runs-on: ubuntu-latest steps: - name: Add Mask run: echo "::add-mask::$ secrets.MY_SECRET_TOKEN " - name: Echo a secret run: echo "your secret token is $ secrets.MY_SECRET_TOKEN "
The only difference between this and the previous code is that you replaced the secret token with your newly created GitHub secret "$ secrets.MY_SECRET_TOKEN
."
When you commit the code and then push the code updates to the repository on GitHub. GitHub repository, your secrets are not revealed:
Summary
Don't divulge any confidential information in your GitHub Action logs. Text masking can be a simple way to hide data, however, anyone who accesses the workflow file is able to view the information you're trying to keep secret.
This tutorial will show you the steps to follow. GitHub Actions Secret is a much more secure approach for security of your personal information and then mask it.
This post was posted on here