Masks access token explicitly (#31)

.changeset/funny-rice-itch.md

@@ -0,0 +1,5 @@
+---
+"@octopusdeploy/login": patch
+---
+
+Adds explicit masking of access token in logs

src/GitHubActionsContext.ts

@@ -7,6 +7,7 @@ export interface GitHubActionsContext {
 
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     setOutput: (name: string, value: any) => void;
+    setSecret: (secret: string) => void;
     setFailed: (message: string) => void;
     exportVariable: (name: string, val: unknown) => void;
 

src/GitHubActionsContextImpl.ts

@@ -1,4 +1,4 @@
-import { getInput, setOutput, setFailed, info, exportVariable, getIDToken, error, debug, warning } from "@actions/core";
+import { getInput, setOutput, setFailed, info, exportVariable, getIDToken, error, debug, warning, setSecret } from "@actions/core";
 import type { GitHubActionsContext, InputOptions } from "./GitHubActionsContext";
 
 export class GitHubActionsContextImpl implements GitHubActionsContext {
@@ -26,6 +26,10 @@ export class GitHubActionsContextImpl implements GitHubActionsContext {
         return setOutput(name, value);
     }
 
+    setSecret(secret: string): void {
+        return setSecret(secret);
+    }
+
     setFailed(message: string): void {
         return setFailed(message);
     }

src/TestGitHubActionContext.ts

@@ -5,6 +5,7 @@ type GetIDTokenFactory = (aud?: string) => Promise<string>;
 export class TestGitHubActionContext implements GitHubActionsContext {
     inputs: Record<string, string> = {};
     outputs: Record<string, unknown> = {};
+    secrets: string[] = [];
     exportedVariables: Record<string, unknown> = {};
     failureMessage: string | undefined;
     idTokenFactory: GetIDTokenFactory | undefined;
@@ -17,6 +18,10 @@ export class TestGitHubActionContext implements GitHubActionsContext {
         return this.outputs;
     }
 
+    getSecrets() {
+        return this.secrets;
+    }
+
     getExportedVariables() {
         return this.exportedVariables;
     }
@@ -39,6 +44,10 @@ export class TestGitHubActionContext implements GitHubActionsContext {
         this.outputs[name] = value;
     }
 
+    setSecret(secret: string): void {
+        this.secrets.push(secret);
+    }
+
     setFailed(message: string): void {
         this.failureMessage = message;
     }

src/__tests__/login.spec.ts

@@ -24,7 +24,7 @@ test("Login with API Key sets correct environment variables and output", async (
     });
 });
 
-test("Successful login with OIDC sets correct environment variables and output", async () => {
+test("Successful login with OIDC sets correct environment variables, outputs and masks the access token", async () => {
     const context = new TestGitHubActionContext();
     const serverUrl = "https://my.octopus.app";
     const serviceAccountId = "my-service-account-id";
@@ -70,6 +70,8 @@ test("Successful login with OIDC sets correct environment variables and output",
             server: serverUrl,
             access_token: accessToken,
         });
+
+        expect(context.getSecrets()).toEqual([accessToken]);
     } finally {
         server.close();
     }

src/login.ts

@@ -85,6 +85,9 @@ export async function login(context: GitHubActionsContext) {
             `Configuring environment to use access token for Octopus Instance '${inputs.server}' on behalf of service account '${inputs.serviceAccountId}'`
         );
 
+        // Set the value as a secret so we can be 100% sure its masked in any logs
+        context.setSecret(exchangeOidcTokenResponse.access_token);
+
         context.exportVariable(EnvironmentVariables.URL, inputs.server);
         context.exportVariable(EnvironmentVariables.AccessToken, exchangeOidcTokenResponse.access_token);
         context.setOutput("access_token", exchangeOidcTokenResponse.access_token);