.secrets file is exposed to workflows

[jsoref]

Bug report info

act version:            4ca35d2
GOOS:                   darwin
GOARCH:                 arm64
NumCPU:                 10
Docker host:            DOCKER_HOST environment variable is not set
Sockets found:
	/var/run/docker.sock
Config files:           
	/Users/jsoref/.actrc:
		#-P ubuntu-latest=node:12.20.1-buster-slim
		#-P ubuntu-20.04=node:12.20.1-buster-slim
		#-P ubuntu-18.04=node:12.20.1-buster-slim
		-P ubuntu-latest=catthehacker/ubuntu:act-latest
		-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
		-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
		-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
		-P ubuntu-16.04=catthehacker/ubuntu:act-16.04
		-P self-hosted=catthehacker/ubuntu:act-latest
		-P ubuntu-latest-4cpu=ubuntu:act-latest
		-P ubuntu-latest-8cpu=ubuntu:act-latest
Build info:
	Go version:            go1.21.6
	Module path:           command-line-arguments
	Main version:          
	Main path:             
	Main checksum:         
	Build settings:
		-buildmode:           exe
		-compiler:            gc
		-ldflags:             -X main.version=4ca35d2
		DefaultGODEBUG:       panicnil=1
		CGO_ENABLED:          1
		CGO_CFLAGS:           
		CGO_CPPFLAGS:         
		CGO_CXXFLAGS:         
		CGO_LDFLAGS:          
		GOARCH:               arm64
		GOOS:                 darwin
Docker Engine:
	Engine version:        23.0.6
	Engine runtime:        runc
	Cgroup version:        1
	Cgroup driver:         cgroupfs
	Storage driver:        overlay2
	Registry URI:          https://index.docker.io/v1/
	OS:                    Alpine Linux v3.18
	OS type:               linux
	OS version:            3.18.5
	OS arch:               aarch64
	OS kernel:             6.1.64-0-virt
	OS CPU:                2
	OS memory:             1973 MB
	Security options:
		name=seccomp,profile=builtin

Command used with act

~/code/nektos/act/dist/local/act --use-new-action-cache -j prettier

Describe issue

the prettier workflow i'm using does a git add ., a git commit, and a git show HEAD (or something functionally equivalent).

The output shows that the .secrets file is included in the workspace and thus effectively leaked to the workflow

Link to GitHub repository

No response

Workflow content

name: Prettier for JS/TypeScript Code

on:
  push

jobs:
  prettier:
    name: Prettier
    runs-on: ubuntu-latest

    steps:
      - name: Prettier
        uses: garnercorp/build-actions/prettier@updates
        with:
          prettier-options: "--write **/*.ts"
          push-to-remote: false

Relevant log output

| No package-lock.json file.
| [action-prettier d4cee98] Prettified Code!
|  Author: nektos/act <nektos/[email protected]>
|  2 files changed, 2 insertions(+)
|  create mode 100644 .dockerignore
|  create mode 100644 .secrets

The .dockerignore was because i wanted to see if using .secrets in .dockerignore would fix it -- it didn't

Additional information

I "worked around" this by using --secret-file .git/act-secrets, but this didn't technically protect the file from being leaked to the workflow, it just prevented the git commit from catching the file.

[ChristopherHX]

I have a question about this problem, because I don't fully understand it.

Does .gitignore exclude the .secrets file and it is not in the git index? (In this case is the file not copied into the container and is not accessible to the workflow, also it won't be added by git add . even outside of a container)

.dockerignore isn't really used by act in most places (maybe only for legacy remote actions, and that only if it uses a Dockerfile)

[jsoref]

I'm concerned that act has copied over the file in the first place. It isn't so much that .gitignore doesn't know not to add the file.

GitHub Actions has secrets, but it goes to great lengths not to dump them into the file system unprompted.

[ChristopherHX]

Act reads .gitignore for not copying files into the container.

Do you propose to add additional ignores hardcoded into act?

[jsoref]

If act is using .secrets, then yes.

Or at the very least, if it isn't ignored by .gitignore and was used by act, then it needs to warn that it's going to leak the file to the workspace.

[jsoref]

fwiw, yes, .gitignore does keep the file out, but that isn't remotely obvious.

Heck, the fact that .secrets is automatically used isn't mentioned in any README.md or similar thing in this repository,

It's just mentioned in the help:

 % act --help|grep secrets|grep default
      --secret-file string                                file with list of secrets to read from (e.g. --secret-file .secrets) (default ".secrets")

I really really really wish it was documented in the main README.md.

[jsoref]

act/README.md

Lines 318 to 322 in 651e713

	## `.secrets`
	By default you can create a `.secrets` file in the root of the repository and it will be used automatically.
	Note that you should add `.secrets` to your `.gitignore` file, otherwise the `.secrets` file will be leaked to your workflows.

[ChristopherHX]

Maybe early exit act if --secret-file exists, but not ignored. To accept the risk and allow running it, they need to use --allow-leaking-secret-file to opt out.

Just an idea from my side.

technically is the readme obsolete and new content should go to https://nektosact.com/ https://github.com/nektos/act-docs

[jsoref]

Practically that webpage doesn't work:

But if it did, then the contents of the readme should be removed and replaced with "See https://nektosact.com/"

[jsoref]

Until then, the .env stuff could also be dramatically improved: jsoref@5f3b6bf

[ChristopherHX]

I'm less a doc writer than you are, based on your documentation fixes across GitHub.

Practically that webpage doesn't work:

In fact these are empty pages, over in the docu sources. Both Readme and that are markdown.

I usually not writing any documentation....

Like nowhere is mentioned that:

• --env-file env.yml
• --secret-file secrets.yml

all accept yaml since a 3/4 year, because I somewhat don't like godotenv syntax.

[jsoref]

I'd be 💯 in favor of:

Maybe early exit act if --secret-file exists, but not ignored. To accept the risk and allow running it, they need to use --allow-leaking-secret-file to opt out.

[jsoref]

I'm a coder, and can write docs, but only about things I know enough about, and within some time constraints. I'm not going to write docs from scratch. I will do minor doc fixes within reason -- as long as they're relatively cheap to do.

[jsoref]

Fwiw, I landed on https://nektosact.com/ w/in the past week or two, tried to use it, decided it was mostly broken and basically discarded it.

[ChristopherHX]

yeah two important pages are empty, this should certainly be corrected. Other than that it contains information not found in the readme + has a search bar

[jsoref]

Once those two pages are fixed the readme in this repository should be truncated to have very little :)

Otherwise you're splitting focus and increasing likelihood of people not visiting the doc site.

[janbrasna]

@jsoref FYI the landing pages seem to be fixed now:

• Import Introduction from README act-docs#9
• Move beginner guide to usage guide act-docs#10

[github-actions]

Issue is stale and will be closed in 14 days unless there is new activity

[jsoref]

So, https://nektosact.com/usage/index.html?highlight=secret#secrets doesn't warn that the files are likely to be copied over by act.

It could suggest using .git/..., ../... or using .gitignore.