-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.secrets
file is exposed to workflows
#2196
Comments
I have a question about this problem, because I don't fully understand it. Does
|
I'm concerned that GitHub Actions has secrets, but it goes to great lengths not to dump them into the file system unprompted. |
Act reads Do you propose to add additional ignores hardcoded into act? |
If act is using Or at the very least, if it isn't ignored by |
fwiw, yes, Heck, the fact that It's just mentioned in the help: % act --help|grep secrets|grep default
--secret-file string file with list of secrets to read from (e.g. --secret-file .secrets) (default ".secrets") I really really really wish it was documented in the main README.md. |
Lines 318 to 322 in 651e713
|
Maybe early exit act if Just an idea from my side. technically is the readme obsolete and new content should go to https://nektosact.com/ https://github.com/nektos/act-docs |
Practically that webpage doesn't work: But if it did, then the contents of the readme should be removed and replaced with "See https://nektosact.com/" |
Until then, the |
I'm less a doc writer than you are, based on your documentation fixes across GitHub.
In fact these are empty pages, over in the docu sources. Both Readme and that are markdown. I usually not writing any documentation.... Like nowhere is mentioned that:
all accept yaml since a 3/4 year, because I somewhat don't like godotenv syntax. |
I'd be 💯 in favor of:
|
I'm a coder, and can write docs, but only about things I know enough about, and within some time constraints. I'm not going to write docs from scratch. I will do minor doc fixes within reason -- as long as they're relatively cheap to do. |
Fwiw, I landed on https://nektosact.com/ w/in the past week or two, tried to use it, decided it was mostly broken and basically discarded it. |
yeah two important pages are empty, this should certainly be corrected. Other than that it contains information not found in the readme + has a search bar |
Once those two pages are fixed the readme in this repository should be truncated to have very little :) Otherwise you're splitting focus and increasing likelihood of people not visiting the doc site. |
@jsoref FYI the landing pages seem to be fixed now: |
Issue is stale and will be closed in 14 days unless there is new activity |
So, https://nektosact.com/usage/index.html?highlight=secret#secrets doesn't warn that the files are likely to be copied over by act. It could suggest using |
Bug report info
Command used with act
~/code/nektos/act/dist/local/act --use-new-action-cache -j prettier
Describe issue
the prettier workflow i'm using does a
git add .
, agit commit
, and agit show HEAD
(or something functionally equivalent).The output shows that the
.secrets
file is included in the workspace and thus effectively leaked to the workflowLink to GitHub repository
No response
Workflow content
Relevant log output
The
.dockerignore
was because i wanted to see if using.secrets
in.dockerignore
would fix it -- it didn'tAdditional information
I "worked around" this by using
--secret-file .git/act-secrets
, but this didn't technically protect the file from being leaked to the workflow, it just prevented the git commit from catching the file.The text was updated successfully, but these errors were encountered: