Support Gitlab variable masking #19
Conversation
This brings in a dependency on the mask crate. The code to support masking artifacts will come later. This only masks the logs passed to Gitlab.
This is only a basic test that the masking is in fact being applied to variables marked as masked. This is not a test of the functionality of the masking crate, only of its integration into this crate.
Although we already automatically mask the trace sent to Gitlab, some runners will produce additional log files or metadata, which must also be masked to prevent secrets from being revealed in the artifact data. This permits client crates to identify a file they wish to upload as additionally requiring masking. Note that the version bump in the masker crate is because we now need to be able to clone the masker for each Uploader to use.
eds-collabora
force-pushed
the
wip/eds/t37702/masking
branch
from
a80338a to
e4d8dce
Compare
|
This does the masking at the point where traces get send to gitlab which is obviously good; However this still means if the runner runs at trace debug level these potentailly sensitive variables end up in the system log; I wonder if it would be worth it pushing things in a higher logging/filtering layer? |
I've been investigating this. It's a bit tricky because there are (as far as I can see) two more levels we could do this at:
I strongly favoured injecting masking into the tracing machinery, but my investigations here have shown this to be quite difficult. While it's possible to define a Tentatively, at this point, I think the way forward in this direction would be to try to create a I don't think just changing |
It's obviously better for this single crate to support variable masking, rather than replicating support in each client.
This PR automatically masks the trace sent to Gitlab, and furthermore permits crates to upload artifacts as masked if they need to (e.g. logs).
This PR is draft pending: