aws: ensure temp credentials redacted in workflow logs

Just for good measure and extra safety, redact temporary credentials when aws authorization token is retrieved using IAM authentication credentials to access Amazon ECR. Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-09 00:05:45 +02:00 · 2022-09-09 00:05:45 +02:00 · 07cad18854
parent be010b4293
commit 07cad18854
3 changed files with 6 additions and 2 deletions
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/src/aws.ts
+++ b/src/aws.ts
@ -96,6 +96,8 @@ export const getRegistriesData = async (registry: string, username?: string, pas
    }
    const authToken = Buffer.from(authTokenResponse.authorizationData.authorizationToken, 'base64').toString('utf-8');
    const creds = authToken.split(':', 2);
+    core.setSecret(creds[0]); // redacted in workflow logs
+    core.setSecret(creds[1]); // redacted in workflow logs
    return [
      {
        registry: 'public.ecr.aws',
@ -122,6 +124,8 @@ export const getRegistriesData = async (registry: string, username?: string, pas
    for (const authData of authTokenResponse.authorizationData) {
      const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8');
      const creds = authToken.split(':', 2);
+      core.setSecret(creds[0]); // redacted in workflow logs
+      core.setSecret(creds[1]); // redacted in workflow logs
      regDatas.push({
        registry: authData.proxyEndpoint || '',
        username: creds[0],