Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to not show a warning if mask-password is not set or false #496

Open
pascalgulikers opened this issue Aug 10, 2023 · 1 comment
Open

Add option to not show a warning if mask-password is not set or false #496

pascalgulikers opened this issue Aug 10, 2023 · 1 comment
Labels
feature-request A feature should be added or improved.

Comments

@pascalgulikers
Copy link

pascalgulikers commented Aug 10, 2023
edited

Is your feature request related to a problem? Please describe.
Due to PR #492, the workflow shows a warning that docker credentials are not masked. But in the case the workflow needs them unmasked (to pass to another job for instance), you might not want to inform the users of the (reusable) workflow that they can find those credentials in the logs.

Describe the solution you'd like
Add an option show-mask-warning: true/false, default true, so one can decide to show this warning or not. If you deliberately choose to not mask credentials, then these warnings are unnecessary.

Describe alternatives you've considered

Additional context
When you have a job which has to pull a base image from ECR, you can't use the amazon-ecr-login action in the same job, hence you have to do it in a prior job and pass the docker credentials to the next job.
For example:

job-1:
    runs-on: ubuntu-latest
    outputs:
      registry: ${{ steps.login-ecr.outputs.registry }}
      docker_username: ${{ steps.login-ecr.outputs[format('docker_username_{0}_dkr_ecr_eu_central_1_amazonaws_com', xxxxxxxx)] }}
      docker_password: ${{ steps.login-ecr.outputs[format('docker_password_{0}_dkr_ecr_eu_central_1_amazonaws_com', xxxxxxxx)] }}

   steps:
      * prior steps like aws-actions/configure-aws-credentials@v2 *
      
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
        with:
           mask-password: false
           **show-mask-warning: false**   <-- new option

job-2:
    runs-on: ubuntu-latest
    needs: [ job-1]
    container: 
      image: ***.dkr.ecr.eu-central-1.amazonaws.com/our_custom_baseimage:latest
      credentials:
        username: ${{ needs.job-1.outputs.docker_username }}
        password: ${{ needs.job-1.outputs.docker_password }}
@pascalgulikers pascalgulikers added the feature-request A feature should be added or improved. label Aug 10, 2023
@lounsbrough
Copy link

I think this request could be translated as I want to leave my door unlocked when I go on vacation, but I don't want a sign in my yard that tells criminals that I'm gone and they can let themselves in.

Security through obscurity is no security at all. If you want to allow users to log their credentials in plain text, at least don't make it the default behavior: #495

@pascalgulikers pascalgulikers mentioned this issue Sep 4, 2023
Open
@arjraman arjraman mentioned this issue Oct 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lounsbrough @pascalgulikers