Masking Input Parameters in GitHub Actions

jeremy-kaltenbach - Apr 26 '23 - - Dev Community

GitHub actions allow you to add input parameters, which will then be used during runtime of the workflow. The inputs can be passed from a different workflow that is calling the specified workflow (via the workflow_call event) or when the workflow is manually triggered (via workflow_dispatch). For the latter, GitHub will prompt for the inputs in a dialog box before kicking off the workflow.

Note that in the workflow logs, the input parameters will be logged in plain text. So what do we do if one or more inputs contain sensitive information? The common approach would be to use Secrets. These are very useful for encrypting sensitive information, such as API keys and will not be logged in plain sight.

But lets say there is a use-case where a manual workflow will be triggered by multiple users supplying their own credentials. Inputs would be an easier solution here instead of having to frequently update the secrets. Luckily there is a way to make sure those sensitive inputs don't get logged.

In the example below, we have a workflow that will prompt the user for their username and password, and then it will call an API using those credentials (with the help of the http-request-action). The username input is safe to log, but the password should not be shown.

name: Call API Example

on:
  workflow_dispatch:
    inputs:
      username:
        required: true
        type: string
      password:
        required: true
        type: string

jobs:
  do_the_thing:
    runs-on: ubuntu-latest
    steps:
    - name: Mask Password
      run: |
        API_PASSWORD=$(jq -r '.inputs.password' $GITHUB_EVENT_PATH)
        echo ::add-mask::$API_PASSWORD
        echo API_PASSWORD=$API_PASSWORD >> $GITHUB_ENV
    - name: Call API
      uses: fjogeleit/http-request-action@v1.11.1
      with:
        url: https://www.example.com/api/awesome/stuff
        method: 'POST'
        username: ${{ github.event.inputs.username }}
        password: ${{ env.API_PASSWORD }}
Enter fullscreen mode Exit fullscreen mode

To mask the password, a step will need to be added before calling the API. In the step, "Mask Password", we'll make use of the workflow command ::ask-mask::{value}.
Unfortunately, calling add-mask on the input directly (such as ::add-mask::${{ github.event.inputs.password }}) will still expose the input in the log (more info on the bug here: https://github.com/actions/runner/issues/643). But as a workaround, the input parameter needs to first be set to a variable. Then calling add-mask on that variable will properly mask it.
In the workflow example, the 'password' input is first assigned to the variable named API_PASSWORD. Then the add-mask command called with the variable. Finally, API_PASSWORD is set as an environment variable to be used in any following steps of the job.

The output log will then look something like this:

> Mask Password
Run API_PASSWORD=$(jq -r '.inputs.password' $GITHUB_EVENT_PATH)
  API_PASSWORD=$(jq -r '.inputs.password' $GITHUB_EVENT_PATH)
  echo ::add-mask::$API_PASSWORD
  echo API_PASSWORD=$API_PASSWORD >> $GITHUB_ENV
  shell: /usr/bin/bash -e {0}

> Call API
Run fjogeleit/http-request-action@v1.11.1
  with:
    url: https://www.example.com/api/awesome/stuff
    method: POST
    username: bobsmith
    password: ***
    data: {}
    files: {}
    timeout: 5000
  env:
    API_PASSWORD: ***
…
Enter fullscreen mode Exit fullscreen mode
Image
Best Practices for AI Enhanced Agile Acceptance Criteria

ai, documentation, softwaredevelopment, agile
Image
15/365 Days | ¥10M Japan Job Challenge

japan, career
Image
How to reverse the key value pair in map ( typescript)?
Image
How To Create Successful Claims For Asbestosis Techniques From Home
Image
Acronis True Image 27.3.1 Crack With Serial Key [Latest 2024]
Image
The Most Effective Car Keys Repairs Tips To Change Your Life
Image
From Idea to Launch: Mistakes to avoid in your Development process

webdev, beginners, productivity, discuss
Image
Derivation of Welford's Algorithm

statistics, algorithms, datascience
Image
The Biggest Issue With Asbestos Attorney Mesothelioma, And How You Can Fix It
Image
Best Practices for Writing Clean React Code with Examples

cleancode, cleancoding, react
Image
The Three Greatest Moments In Car Key Remote Repair Near Me History
Image
15 Fun And Wacky Hobbies That'll Make You More Successful At Asbestos Cancer Lawsuit Lawyer Mesothelioma Settlement
Image
Prove AI Launches on the Hedera Network: Bringing a New Standard in AI Governance

blockchain, cryptocurrency, hashgraph, hbar
Image
L'IA révolutionne nos environnements de développement !
Image
Next.js on AWS: Deployment Strategies

aws, awscdk, nextjs, typescript
Image
This Is The Ultimate Guide To Self Propelled Wheelchair
Image
11 Methods To Refresh Your Self Propelled Wheelchair With Power Assist
Image
What Will Asbestos Exposure Lawyer Be Like In 100 Years?
Image
What Are The Myths And Facts Behind Asbestos Law Firm
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player