feat: sanitize input tokens #94
Conversation
.github/workflows/pipelines-root.yml
Outdated
| id: secrets | ||
| shell: bash | ||
| run: | | ||
| PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) |
There was a problem hiding this comment.
This needs to actually reference the secret, its not in env yet.
|
Wouldn't this be simpler in pipelines-credentials? gruntwork-io/pipelines-credentials#8 |
No argument from me. We'd have to do all the tokens, and still update the references in primary workflows, but it would avoid adding another step to workflows. |
| @@ -120,7 +120,7 @@ jobs: | |||
| uses: ./pipelines-actions/.github/actions/pipelines-preflight-action | |||
| with: | |||
| IS_ROOT: "true" | |||
| PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} | |||
| PIPELINES_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} | |||
There was a problem hiding this comment.
@Resonance1584 can you confirm this change makes sense? This is the only case where we were reading a secret directly instead of reading from the output of a credentials step
There was a problem hiding this comment.
No this doesn't make sense without reworking preflight https://github.com/gruntwork-io/pipelines-actions/blob/main/.github/actions/pipelines-preflight-action/scripts/check-token-permissions.sh#L94-L118
TODO: Test it