Find Your Tracks: How to conceal things in GitHub Actions Logs - (r)

Share on

A disadvantage to the use of GitHub Actions is the fact that your files are publicly accessible, meaning that anyone can access them with all the permissions required.

To ensure that sensitive information is not being disclosed in GitHub Actions logs, you need to use encrypted variables in your environment to protect sensitive information. These encrypted environmental variables are also known in the form of GitHub Actions Secrets.

This article shows you how to use GitHub Actions Secrets to prevent sensitive data from being logged on the GitHub Actions logs.

Prerequisites:

For more information, follow the following tutorial:

• You already have a GitHub repository. For this tutorial you are able to copy this demonstration repository.
• Follow these instructions follow these steps to follow these steps to connect to the demo repository..

How to Keep Your GitHub Activity Logs Private

When you design workflows using GitHub Actions, any visitor to your repository can view the logs, so they shouldn't include sensitive information. But, it's not enough to delete your tokens, passwords or other personal information because you require the information for testing as well as for your application to run properly.

It is possible to conceal these by using the add-mask workflow command. It puts an underscore (*) over the sensitive data it's applied to.

The next section will show you how you can mask the log.

How to mask logs

To begin, first open the repository that you have cloned using your text editor.

In the .github/workflows• directory within the base of your repository in order to store your workflow files. Create a brand new file called hide-secrets.yml in the .github/workflows directory and insert the following code into the file:

name: Hide Sensitive Informationabout: Push Jobs Print-secret-tokenruns-on: ubuntu-latest
 steps:
 - name echoing a secretrun: echo "your secret token is extremelySecretToken"

Then commit the changes and upload the changes into your GitHub repository. The new GitHub Actions workflow is active and will be triggered whenever you push a new change.

Go to your repository at GitHub and select the Actions tab to review the logs. Your workflow should appear like this:

When you look through the logs of workflows You'll see that the verySecretToken string printed on the logs. Click on your workflow, and then the task name ( print-secret-token) to see the log. It will look something like this:

To cover it, run the add-mask command, edit the hide-secrets.yml file, and then add a method in the printing-secret-token task:

name: Hide Sensitive Information
 on: push
 jobs:
 print-secret-token:
 runs-on: ubuntu-latest
 steps:
 - name: Add Mask
 run: echo "::add-mask::verySecretToken"
 - name: echo a secret 
 run: echo "your secret token is verySecretToken"

It is recommended to add to the add mask procedure at the top, since masking is only applied after adding mask is completed. If you add the secret verySecretToken ahead of you go through the Add Mask procedure, it'll not be masked. Therefore, in order to make sure that the value is masked you must use add-mask as soon as possible.

When you have committed and published the changes to your GitHub repository, the text verySecretToken will be replaced by asterisks (*) where it appears in your logs.

In addition to fixing the issue of masking however, it also introduces a brand new one. Your verySecretToken remains in the workflow file. Therefore, anyone who has access to the source code is able to see the file.

Another downside that masking text plainly is that masking only a portion of a word can hide every instance of it. Take, for instance, this sentence: "Programming is great, but my most productive days are those when I do not write programs." If you block the term "program," it won't simply hide it in the middle of the sentence, but anywhere else it appears like in "programming."

If you try to mask the plain font, you'll wind looking something like:

The best method of hiding sensitive data in GitHub Actions logs is to utilize GitHub Actions Secrets, as shown in the next section.

How To Use GitHub Actions Secrets

It is possible to use GitHub Actions Secrets to store any private data you want to use in the GitHub action workflow. Secrets are created as key/value pairs in the organizational or repository level.

The repository might be able to access only secrets that were created on the level of a repository but secrets created at an organisational level are shared with all repositories within an organization.

Secrets created at repository level can be accessed to be used in any actions of anyone who has collaborator role authorizations. You can change the value of the secrets you have created at any time. However, secrets cannot be used with workflows from an unforked repository.

These rules apply to the naming secret:

• Secret names can't contain spaces.
• Names that are secret do not need to be capitalized.
• Secret names are not able to begin with a number.
• Secret names should not start with the prefix GITHUB_.
• Secret names should be unique -- secrets with the same name cannot be discovered on the same level.

It is possible to use these secrets within the GitHub actions workflow simply by creating secret information before your secret names as the YML variable as illustrated below:

$ secrets.MY_SECRET_TOKEN 

Additionally, you can hide secret information to increase security as illustrated in the following section.

What to do To Mask Secrets

The first step is to create your own GitHub secret. In your repository on GitHub go to the Settings tab where you can select secret> actionsfrom the left sidebar, after which select Create a new repository secret to add a new secret:

Create a secret name as well as a secret number and press to add a secret:

Now that you've created your own secret, and assigned it the secret token value, you are able to use it in your workflow document. Navigate to your hide-secrets.yml file and make the following changes:

name: Hide Sensitive Information
 on: push
 jobs:
 print-secret-token:
 runs-on: ubuntu-latest
 steps:
 - name: Add Mask
 run: echo "::add-mask::$ secrets.MY_SECRET_TOKEN "
 - name: Echo a secret 
 run: echo "your secret token is $ secrets.MY_SECRET_TOKEN "

The only difference between this and the previous code is that you replaced the secret token with your newly created GitHub secret "$ secrets.MY_SECRET_TOKEN ."

After you have committed the code and then push the updates into your GitHub repository, the secrets remain hidden:

Summary

You mustn't reveal any sensitive information in your GitHub Action logs. Plain text masking is one way to hide data, however, anyone who accesses the workflow file can view the data you're trying keep secret.

This tutorial will show you how. GitHub Actions Secret is a much more secure approach for protecting your confidential data, and then mask it.