Skip to content

Commit b7b0b4c

Browse files
crazy-maxcrazy-max
authored
Merge pull request #645 from crazy-max/secret-enforce-redact
buildx(build): always register as secret the value passed as build secret string
2 parents 01c877d + 6ddae4e commit b7b0b4c

File tree

1 file changed

+18
-6
lines changed

1 file changed

+18
-6
lines changed

src/buildx/build.ts

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,11 @@ export interface BuildOpts {
3232
buildx?: Buildx;
3333
}
3434

35+
export interface ResolveSecretsOpts {
36+
asFile?: boolean;
37+
redact?: boolean;
38+
}
39+
3540
export class Build {
3641
private readonly buildx: Buildx;
3742
private readonly iidFilename: string;
@@ -124,12 +129,16 @@ export class Build {
124129
}
125130

126131
public static resolveSecretString(kvp: string): string {
127-
const [key, file] = Build.resolveSecret(kvp, false);
132+
const [key, file] = Build.resolveSecret(kvp, {
133+
redact: true
134+
});
128135
return `id=${key},src=${file}`;
129136
}
130137

131138
public static resolveSecretFile(kvp: string): string {
132-
const [key, file] = Build.resolveSecret(kvp, true);
139+
const [key, file] = Build.resolveSecret(kvp, {
140+
asFile: true
141+
});
133142
return `id=${key},src=${file}`;
134143
}
135144

@@ -138,10 +147,10 @@ export class Build {
138147
return `id=${key},env=${value}`;
139148
}
140149

141-
public static resolveSecret(kvp: string, file: boolean): [string, string] {
142-
const [key, value] = Build.parseSecretKvp(kvp);
150+
public static resolveSecret(kvp: string, opts?: ResolveSecretsOpts): [string, string] {
151+
const [key, value] = Build.parseSecretKvp(kvp, opts?.redact);
143152
const secretFile = Context.tmpName({tmpdir: Context.tmpDir()});
144-
if (file) {
153+
if (opts?.asFile) {
145154
if (!fs.existsSync(value)) {
146155
throw new Error(`secret file ${value} not found`);
147156
}
@@ -310,13 +319,16 @@ export class Build {
310319
return false;
311320
}
312321

313-
private static parseSecretKvp(kvp: string): [string, string] {
322+
public static parseSecretKvp(kvp: string, redact?: boolean): [string, string] {
314323
const delimiterIndex = kvp.indexOf('=');
315324
const key = kvp.substring(0, delimiterIndex);
316325
const value = kvp.substring(delimiterIndex + 1);
317326
if (key.length == 0 || value.length == 0) {
318327
throw new Error(`${kvp} is not a valid secret`);
319328
}
329+
if (redact) {
330+
core.setSecret(value);
331+
}
320332
return [key, value];
321333
}
322334
}

0 commit comments

Comments
 (0)