feat: sanitize input tokens#94
Conversation
| id: secrets | ||
| shell: bash | ||
| run: | | ||
| PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) |
There was a problem hiding this comment.
This needs to actually reference the secret, its not in env yet.
|
Wouldn't this be simpler in pipelines-credentials? gruntwork-io/pipelines-credentials#8 |
No argument from me. We'd have to do all the tokens, and still update the references in primary workflows, but it would avoid adding another step to workflows. |
| with: | ||
| IS_ROOT: "true" | ||
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | ||
| PIPELINES_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} |
There was a problem hiding this comment.
@Resonance1584 can you confirm this change makes sense? This is the only case where we were reading a secret directly instead of reading from the output of a credentials step
There was a problem hiding this comment.
No this doesn't make sense without reworking preflight https://github.com/gruntwork-io/pipelines-actions/blob/main/.github/actions/pipelines-preflight-action/scripts/check-token-permissions.sh#L94-L118
4 participants
TODO: Test it