3
0
Fork 0
mirror of https://gitea.com/docker/login-action.git synced 2024-11-25 10:59:37 +01:00

aws: ensure temp credentials redacted in workflow logs

Just for good measure and extra safety, redact temporary
credentials when aws authorization token is retrieved using
IAM authentication credentials to access Amazon ECR.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax 2022-09-09 00:05:45 +02:00
parent be010b4293
commit 07cad18854
No known key found for this signature in database
GPG key ID: 3248E46B6BB8C7F7
3 changed files with 6 additions and 2 deletions

2
dist/index.js generated vendored

File diff suppressed because one or more lines are too long

2
dist/index.js.map generated vendored

File diff suppressed because one or more lines are too long

View file

@ -96,6 +96,8 @@ export const getRegistriesData = async (registry: string, username?: string, pas
} }
const authToken = Buffer.from(authTokenResponse.authorizationData.authorizationToken, 'base64').toString('utf-8'); const authToken = Buffer.from(authTokenResponse.authorizationData.authorizationToken, 'base64').toString('utf-8');
const creds = authToken.split(':', 2); const creds = authToken.split(':', 2);
core.setSecret(creds[0]); // redacted in workflow logs
core.setSecret(creds[1]); // redacted in workflow logs
return [ return [
{ {
registry: 'public.ecr.aws', registry: 'public.ecr.aws',
@ -122,6 +124,8 @@ export const getRegistriesData = async (registry: string, username?: string, pas
for (const authData of authTokenResponse.authorizationData) { for (const authData of authTokenResponse.authorizationData) {
const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8'); const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8');
const creds = authToken.split(':', 2); const creds = authToken.split(':', 2);
core.setSecret(creds[0]); // redacted in workflow logs
core.setSecret(creds[1]); // redacted in workflow logs
regDatas.push({ regDatas.push({
registry: authData.proxyEndpoint || '', registry: authData.proxyEndpoint || '',
username: creds[0], username: creds[0],