Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how GitHub secrets work #208

Merged
merged 1 commit into from Aug 8, 2022
Merged

Document how GitHub secrets work #208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 8 additions & 0 deletions README.md
View file
Open in desktop
Expand Up @@ -127,6 +127,14 @@ risk.**
service account, you must grant the underlying service account
`roles/iam.serviceAccountTokenCreator` permissions on itself.

Note: we strongly advise that you "compress" your JSON into a single line
string before storing it in a GitHub Secret. When a GitHub Secret is used in
a GitHub Actions workflow, _each line_ of the secret is masked in log
output. This can lead to aggressive sanitization of benign characters like
curly braces (`{}`) and brackets (`[]`). See
[Troubleshooting](docs/TROUBLESHOOTING.md#aggressive-replacement) for more
information.

### Generating OAuth 2.0 access tokens

The following inputs are for _generating_ OAuth 2.0 access tokens for
Expand Down
21 changes: 21 additions & 0 deletions docs/TROUBLESHOOTING.md
View file
Open in desktop
Expand Up @@ -161,9 +161,30 @@ ways to fix this issue:
5. Push
```

<a name="aggressive-replacement"></a>

## Aggressive *** replacement in logs

When you use a [GitHub Actions secret][github-secrets] inside a workflow, _each_
line of the secret is masked in log output. This is controlled by GitHub, not
the `auth` action. We cannot change this behavior.

This can be problematic if your secret is a multi-line JSON string, since it
means curly braces (`{}`) and brackets (`[]`) will likely be replaced as `***`
in the GitHub Actions log output. To avoid this, remove all unnecessary
whitespace from the JSON and save the secret as a single-line JSON string. You
can convert a multi-line JSON document to a single-line manually or by using a
tool like `jq`:

```sh
cat credentials.json | jq -r tostring
```


[attribute-conditions]: https://cloud.google.com/iam/docs/workload-identity-federation#conditions
[sa-impersonation]: https://cloud.google.com/iam/docs/workload-identity-federation#impersonation
[debug-logs]: https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging
[iam-feedback]: https://cloud.google.com/iam/docs/getting-support
[wif-byte-limit]: https://cloud.google.com/iam/docs/configuring-workload-identity-federation
[cal]: https://cloud.google.com/logging/docs/audit/configure-data-access
[github-secrets]: https://docs.github.com/en/actions/security-guides/encrypted-secrets