fix: ensure token is masked (#4)

* fix: ensure token is masked * chore: use github action token for dry run release.
philips-software · Mar 14, 2021 · c598664 · c598664
1 parent e4ccc0a
commit c598664
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 4 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -53,7 +53,7 @@ jobs:
 
       - name: Dry run release
         env:
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: yarn && yarn run release -d -b ${{ steps.branch.outputs.short_ref }}
 
       - name: Release

diff --git a/dist/index.js b/dist/index.js
@@ -15302,7 +15302,7 @@ const getAppInstallationToken = (privateKey, appId, org) => __awaiter(void 0, vo
 });
 exports.getAppInstallationToken = getAppInstallationToken;
 const getToken = (parameters) => __awaiter(void 0, void 0, void 0, function* () {
-    let token = undefined;
+    let token;
     const privateKey = Buffer.from(parameters.base64PrivateKey, 'base64').toString();
     switch (parameters.type) {
         case 'installation': {
@@ -15374,6 +15374,8 @@ function run() {
                 type: authType,
                 org,
             });
+            // some github magic seems masking the token by default, but just to ensure it is registered as secret.
+            core.setSecret(token);
             core.setOutput('token', token);
         }
         catch (error) {

diff --git a/src/auth.ts b/src/auth.ts
@@ -44,8 +44,8 @@ export const getAppInstallationToken = async (privateKey: string, appId: number,
   }
 };
 
-export const getToken = async (parameters: Parameters): Promise<string | undefined> => {
-  let token = undefined;
+export const getToken = async (parameters: Parameters): Promise<string> => {
+  let token: string;
 
   const privateKey = Buffer.from(parameters.base64PrivateKey, 'base64').toString();
   switch (parameters.type) {
@@ -58,5 +58,6 @@ export const getToken = async (parameters: Parameters): Promise<string | undefin
       break;
     }
   }
+
   return token;
 };
diff --git a/src/main.ts b/src/main.ts
@@ -19,6 +19,8 @@ async function run(): Promise<void> {
       org,
     });
 
+    // some github magic seems masking the token by default, but just to ensure it is registered as secret.
+    core.setSecret(token);
     core.setOutput('token', token);
   } catch (error) {
     core.debug(error);