-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change docker_username and docker_password output variables for ECR private repositories #483
Comments
You have to vote / create a GitHub Actions feature request (https://github.com/orgs/community/discussions/categories/actions) for sharing secrets via job outputs. If these values are masked the actions/runner skips sending the outputs and if not they are leaked at least while step debugging is on.
|
Thanks @ChristopherHX , also for the output construct (much better than my jq statement). I've put in a FR now: https://github.com/orgs/community/discussions/62269 |
The ::add-mask:: command works as long it is used as it has been designed and all escaping rules are correctly applied. Only this action can mask it's outputs, any attempt to do it later is going to leak the output to the console. Seems like you have created two feature requests in one discussion. The maintainer of this repo may consider to add a core.setSecret (alias ::add-mask:: with escaping rules for ln, cr and percent) for the output value before settting the output Lines 172 to 173 in c2d6bdb
As of this time your usecase will blow up as described above and others may depend on unmasked outputs due to the GitHub Actions limitation of beeing unable to share secrets via job outputs. |
omg thank you! this really saved me, finally some working workaround it would be great to add this to README |
Is your feature request related to a problem? Please describe.
We're having a reusable workflow in which we're pulling a base image from ECR from multiple AWS accounts. Passing the credentials to another job is hard, since the output variable is dynamic depending on the account on which the calling repo is authenticated to. I.e.
Describe the solution you'd like
Change the output variables for a private ECR to docker_username_private_ecr_aws and docker_password_private_ecr_aws respectively instead of a dynamic generated output variable.
The text was updated successfully, but these errors were encountered: