Find Your Tracks What you can do to document things that are in GitHub Action Logs (r)

Apr 29, 2023
Learning all about GitHub actions secret

This can be shared on

The drawback to using of GitHub action is that the documents that you upload become open to the public. That means anyone has access to these files, and with the appropriate permissions.

In order to ensure that confidential information cannot be disclosed through GitHub Actions logs, you must use encrypted variables in your system to safeguard the sensitive data. These protected variables for the environment could be identified by GitHub Actions Secrets.

This article shows you how you can utilize GitHub Actions Secrets to prevent confidential information from being stored in the GitHub Actions logs.

Prerequisites:

For more information, follow this tutorial:

How to Protect the Activity Logs of GitHub Private

When you build workflows using GitHub Actions, any visitor to your repository will be capable of viewing the logs. So, it is important to not include confidential information. However, it's not enough to remove your passwords, tokens, or any other data is considered personal as they are required in order to test and allow your application to function properly.

It is possible to conceal these by using the add-mask workflow option. The command adds an underscore (*) over the information that it's applying.

In the next section, we will show you ways to mask the log.

What can you do to hide logs

Open the repository you've created using the text editor you've downloaded.

Within the .github/workflowsin the.github/workflows directory inside the foundation of your repository to serve storage of documents used in workflow. Create a brand new file titled hide-secrets.yml in the .github/workflows directory and insert the following code into the file:

name: Hide Sensitive Informationabout: Push Jobs Print-secret-tokenruns-on: ubuntu-latest steps: - name echoing a secretrun: echo "your secret token is extremelySecretToken"

After that, commit the changes and save any modifications you make to your GitHub repository. The new GitHub Actions workflow is now in effect and will trigger whenever you upload a new change.

Check out your repository on GitHub and then click"actions" on the action tab for a review of your logs. The way your workflow appears should be as follows:

Preview your workflow in GitHub
Preview your workflow

If you look through the workflow logs There is an verySecretToken string printed on the logs. Choose your workflow and then click the name of the work ( print-secret-token) to see the log. It should look like this:

Examine your GitHub action logs
Examine your GitHub actions logs

To cover it, run the add-mask command, edit the hide-secrets.yml file, and then add a method in the printing-secret-token task:

name: Hide Sensitive Information on: push jobs: print-secret-token: runs-on: ubuntu-latest steps: - name: Add Mask run: echo "::add-mask::verySecretToken" - name: echo a secret run: echo "your secret token is verySecretToken"

It is recommended that you add it to the procedure of adding the mask procedure in the middle of the process, as masking is only performed only after the procedure of applying mask is completed. If you add your secret verySecretToken before going to the add mask procedure, the secrets will be revealed. So, to ensure that the value that you are using is hidden, you should apply the process of adding masks whenever you can.

After you've committed your changes and uploaded your modifications into the repository on GitHub GitHub repository, the message verySecretToken will be replaced by an * (*) as it appears in your logs.

Make plain texts
Text in plain font

Additionally, it fixes the issue of masking however it introduces a brand new one. Your VerySecretToken remains inside the file for workflow. Thus, everyone who has an access code is able to access the files.

A further disadvantage that hiding text is that masking only a tiny portion of an entire phrase could hide each and each word. Take, for instance, this phrase: "Programming is great, but my best days occur when I'm not writing programs." If you block the term "program," it won't simply hide it in the middle of the sentence. Rather, it will be hidden everywhere else it appears like that it's "programming."

If you are trying to hide the font you're using it could appear looking similar to:

Problem with masking plain texts
The problem with concealing plain text

The most effective method to hide sensitive information in GitHub Actions logs is to employ GitHub Actions Secrets, as detailed in the section below.

What is the best way to use GitHub Actions Secrets

You can use GitHub Actions Secrets to save all personal information you'd want to incorporate into your GitHub actions workflow. Secrets are made using keys and values at the level of repository whether organizational or.

The repository could be restricted to accessing secrets only when they were made on the level of an organisation however, the secrets have been created at an organizational scale are accessible to all repositories within the organization.

The secrets you make in the repository can be accessed and used to perform any actions of collaborative role. The importance of the secret you've made is available can be accessed at any time. The secret cannot however be used in workflows using a repository which is not forked.

These rules apply when naming secrets are to be kept:

  • Secret names can't contain spaces.
  • Names that are not secret do not have being capitalized.
  • The secret names can't be considered to be a name that begins with the number.
  • Secret names should not begin with the prefix GITHUB_.
  • Secret names have to be distinctive and secret names that have the same name aren't found in the same way.

It is possible to use these tricks in the GitHub action workflow by producing the secret data before your secret name in the YML variable. This is as follows: in the following:

$ secrets.MY_SECRET_TOKEN 

Also, you can cover secret data to improve security. This is illustrated in the following section.

How to Mask Secrets

First thing you need to do is create your personal GitHub secret. On GitHub, in your repository you will need to go to the Settings tab in which you will be able to choose an option to create a secretand optionsfrom the sidebar on the left and select Create an Account Secret for a fresh secret.

Create a new repository secret
Create a new repository that's hidden

Choose a secret identity and a secret number. Then, click to create additional secrets:

Add a new GitHub Secret
Create a brand new GitHub Secret

After you've developed your own secret and assigned it up with the Secret symbol value, you're able of using it in the workflow document. Go to hide-secrets.yml and edit the hide-secrets.yml file and modify the file as follows:

name: Hide Sensitive Information on: push jobs: print-secret-token: runs-on: ubuntu-latest steps: - name: Add Mask run: echo "::add-mask::$ secrets.MY_SECRET_TOKEN " - name: Echo a secret run: echo "your secret token is $ secrets.MY_SECRET_TOKEN "

The only difference between this and the previous code is that you replaced the secret token with your newly created GitHub secret "$ secrets.MY_SECRET_TOKEN ."

If you commit your code and push updates to your code repository on GitHub. GitHub repository, your secret remain hidden:

Masked GitHub Actions Secrets
Unmasking GitHub Actions Hidden GitHub Actions

Summary

Do not divulge confidential information in the GitHub Action logs. Text masking can be a simple way to hide the information. However, anyone accessing the file can be able to see the information that you're trying to keep secret.

This tutorial will show you the procedure to follow. GitHub Actions Secret is a method that is more secure for privacy of your information and to then hide it.

This post was posted on this site.

This post was first seen on here