Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Securely mask secrets in Reusable Workflows #180

Merged
merged 1 commit into from
Aug 6, 2024
Merged

Fix: Securely mask secrets in Reusable Workflows #180

merged 1 commit into from
Aug 6, 2024

Commits on Aug 6, 2024

  1. Fix: Securely mask secrets in Reusable Workflows 

    Problem:

This commit addresses the issue of secret exposure when passing
secrets between reusable workflows in GitHub Actions. Automatic
secret masking within reusable workflows is lost due to secret
inheritance limitations. Additionally, multiline secrets and
special characters pose challenges [1.] is undefined with
Github actions since non UTF-8 bytes will cause encoding
problems (Internally stored as UTF-16).

Proposed Solution:

To redact and mask secrets from console logs, I propose the
two-step Base64 encoding approach inspired by [2.]:

1. Double Base64 Encoding: Before storing secrets in the
organization or repository secret store, encode them twice using
the base64 command. This prevents secret exposure when GitHub
Actions outputs them.

example:
cat clouds.yaml | base64 -w0 | base64 -w0 > clouds-2xb64.yaml
cat clouds-env.pkrvars.hcl | base64 -w0 | base64 -w0 > \
clouds-2xb64.yaml

2. Pass Encoded Values and Decode in Reusable Workflows: Pass the
encoded values as secret inputs to reusable workflows. Inside the
workflows, decode them twice before masking to ensure they remain
masked throughout the logs and usable in subsequent steps.

Limitation:

Rerunning jobs in debug mode might reveal secrets in the workflow
logs. However, only authorized users with "owner" permissions can
trigger debug re-runs, mitigating the overall risk.

Benefits:

+ Consistent secret masking within reusable workflows.
+ Secure handling of multiline secrets and special characters.
+ Reduced risk of accidental secret exposure in workflow logs.

Note: The secrets have been renamed as and encoded twice
and saved on the Github secret store.

References:
[1.] https://github.com/orgs/community/discussions/65057
[2.] https://github.com/orgs/community/discussions/26671

Signed-off-by: Anil Belur <abelur@linuxfoundation.org>
    @askb
    askb committed Aug 6, 2024
    Configuration menu
    Copy the full SHA
    97c6925 View commit details
    Browse the repository at this point in the history