From 2d49511826b8f272075ff006acf91f0eb9f9936f Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <tautschn@amazon.com>
Date: Mon, 30 Sep 2024 12:09:12 +0200
Subject: [PATCH] Make sure no information fetched from secrets manager is
 logged (#217)

Use GitHub's log masking to ensure even tokens that do not match
GitHub's default filter are replaced by asterisks.
---
 .github/workflows/release-brew.yaml | 24 ++++++++++++++++++------
 .github/workflows/release-pypi.yaml |  8 ++++++--
 .github/workflows/release.yaml      |  4 +++-
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release-brew.yaml b/.github/workflows/release-brew.yaml
index da8e8b3..d6c093b 100644
--- a/.github/workflows/release-brew.yaml
+++ b/.github/workflows/release-brew.yaml
@@ -66,8 +66,12 @@ jobs:
 
       - name: Fetch secrets
         run: |
-          echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
-          echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          bot_email=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')
+          echo "::add-mask::$bot_email"
+          echo "BOT_EMAIL=$bot_email" >> $GITHUB_ENV
+          homebrew_github_api_token=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')
+          echo "::add-mask::$homebrew_github_api_token"
+          echo "HOMEBREW_GITHUB_API_TOKEN=$homebrew_github_api_token" >> $GITHUB_ENV
 
       - name: Configure git user name and email
         run: |
@@ -102,8 +106,12 @@ jobs:
 
       - name: Fetch secrets
         run: |
-          echo "FORK_REPO=https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" >> $GITHUB_ENV
-          echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          fork_repo="https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git"
+          echo "::add-mask::$fork_repo"
+          echo "FORK_REPO=$fork_repo" >> $GITHUB_ENV
+          github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
+          echo "::add-mask::$github_token"
+          echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
 
       - name: Set up Python
         # The GitHub action actions/setup-python@v4 installs CPython 3.10
@@ -173,8 +181,12 @@ jobs:
 
     - name: Fetch secrets
       run: |
-        echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
-        echo "FORK_REPO=https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" >> $GITHUB_ENV
+        bot_email="$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')"
+        echo "::add-mask::$bot_email"
+        echo "BOT_EMAIL=$bot_email" >> $GITHUB_ENV
+        fork_repo="https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git"
+        echo "::add-mask::$fork_repo"
+        echo "FORK_REPO=$fork_repo" >> $GITHUB_ENV
 
     - name: Configure git user name and email
       run: |
diff --git a/.github/workflows/release-pypi.yaml b/.github/workflows/release-pypi.yaml
index c62e7cc..ae2518b 100644
--- a/.github/workflows/release-pypi.yaml
+++ b/.github/workflows/release-pypi.yaml
@@ -27,8 +27,12 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
       - name: Fetch secrets
         run: |
-          echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
-          echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
+          echo "::add-mask::$github_token"
+          echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
+          twine_password="$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')"
+          echo "::add-mask::$twine_password"
+          echo "TWINE_PASSWORD=$twine_password" >> $GITHUB_ENV
       - name: Get Package Name
         id: get_package_name
         run: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 91592d7..f076b8a 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -36,7 +36,9 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
       - name: Fetch secrets
         run: |
-          echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
+          echo "::add-mask::$github_token"
+          echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
       - name: Create release
         uses: actions/create-release@v1
         with: