From 30ab5fb28a2ec0d72157e69aa2fa865b7b801040 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 18:55:00 -0700 Subject: [PATCH 01/12] feat: add a new test secret workflow Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 33 +++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/test-for-secrets.yaml diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml new file mode 100644 index 0000000..59c7e58 --- /dev/null +++ b/.github/workflows/test-for-secrets.yaml @@ -0,0 +1,33 @@ +name: Test for Secrets Access + +description: Test for secrets access. NEVER run this with a secret other than the "TEST_REPOSITORY_SECRET" + +on: + workflow_dispatch: + pull_request_target: + - assigned + - unassigned + - labeled + - unlabeled + - opened + - edited + - reopened + +env: + TEST_SECRET: ${{ secrets.TEST_REPOSITORY_SECRET }} + +defaults: + run: + shell: bash + +permissions: + contents: read + actions: read + +jobs: + test-for-secret-access: + runs-on: ubuntu-latest + steps: + name: Test for Secret Access + run: | + echo "Secret is: ${TEST_SECRET}" \ No newline at end of file From de1062ed0355c3f2e25b0244a47f19ac66f8604d Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 18:55:45 -0700 Subject: [PATCH 02/12] break workflow Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index 59c7e58..2e25791 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -23,7 +23,7 @@ defaults: permissions: contents: read actions: read - +breaks jobs: test-for-secret-access: runs-on: ubuntu-latest From b32afd4893ff8db78fa7cb2814263202bc972fbc Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 18:56:04 -0700 Subject: [PATCH 03/12] fix workflow Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index 2e25791..59c7e58 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -23,7 +23,7 @@ defaults: permissions: contents: read actions: read -breaks + jobs: test-for-secret-access: runs-on: ubuntu-latest From ceec6a5f773aa75bdebe67be9ababdda3de13519 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 18:56:48 -0700 Subject: [PATCH 04/12] fix workflow more Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index 59c7e58..29ad648 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -3,7 +3,6 @@ name: Test for Secrets Access description: Test for secrets access. NEVER run this with a secret other than the "TEST_REPOSITORY_SECRET" on: - workflow_dispatch: pull_request_target: - assigned - unassigned @@ -12,6 +11,7 @@ on: - opened - edited - reopened + workflow_dispatch: env: TEST_SECRET: ${{ secrets.TEST_REPOSITORY_SECRET }} From 6b96782f8f952ac410a728ca00e37877048258b9 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 18:57:16 -0700 Subject: [PATCH 05/12] remove pull_request_target Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index 29ad648..192c8f5 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -3,14 +3,6 @@ name: Test for Secrets Access description: Test for secrets access. NEVER run this with a secret other than the "TEST_REPOSITORY_SECRET" on: - pull_request_target: - - assigned - - unassigned - - labeled - - unlabeled - - opened - - edited - - reopened workflow_dispatch: env: From ef9cf9767e5e4fd4b3d1b477157afd5407be0860 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 19:00:06 -0700 Subject: [PATCH 06/12] fix again Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index 192c8f5..211edfe 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -20,6 +20,7 @@ jobs: test-for-secret-access: runs-on: ubuntu-latest steps: - name: Test for Secret Access - run: | - echo "Secret is: ${TEST_SECRET}" \ No newline at end of file + - name: Test for Secret Access + run: | + echo "Secret is: ${TEST_SECRET}" + From 18135d94b4895d34bc0a30225400684164bbb4b7 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 19:02:42 -0700 Subject: [PATCH 07/12] switch attempting to print out secret Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index 211edfe..b57c7a8 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -22,5 +22,5 @@ jobs: steps: - name: Test for Secret Access run: | - echo "Secret is: ${TEST_SECRET}" + echo "Secret is: $(cat ${{ secrets.TEST_REPOSITORY_SECRET }})" From 1ca95902236416b0e7e35e676384597d2106f1dd Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 19:03:32 -0700 Subject: [PATCH 08/12] switch again Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index b57c7a8..77ffe3e 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -22,5 +22,5 @@ jobs: steps: - name: Test for Secret Access run: | - echo "Secret is: $(cat ${{ secrets.TEST_REPOSITORY_SECRET }})" + echo "Secret is: $(cat TEST_SECRET)" From fe1165e62b6eed6d3887f1007830c4e3ca708019 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 19:04:39 -0700 Subject: [PATCH 09/12] remove mask Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index 77ffe3e..ca04bf3 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -22,5 +22,6 @@ jobs: steps: - name: Test for Secret Access run: | - echo "Secret is: $(cat TEST_SECRET)" + echo "::remove-mask::$TEST_SECRET" + echo "Secret is: $TEST_SECRET" From dbb768877d2df0b95fa9a255d131af6625c1307e Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 19:05:53 -0700 Subject: [PATCH 10/12] base 64 workaround Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index ca04bf3..c1bdd25 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -22,6 +22,5 @@ jobs: steps: - name: Test for Secret Access run: | - echo "::remove-mask::$TEST_SECRET" - echo "Secret is: $TEST_SECRET" + echo "Secret (base64-encoded): $(echo "$TEST_SECRET" | base64)" From 675b5a331c2652ec5a39a2e6fe9a0bd091804084 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 20:00:58 -0700 Subject: [PATCH 11/12] add the pull request target triggers Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index c1bdd25..5c667b1 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -3,8 +3,17 @@ name: Test for Secrets Access description: Test for secrets access. NEVER run this with a secret other than the "TEST_REPOSITORY_SECRET" on: + pull_request_target: + - assigned + - unassigned + - labeled + - unlabeled + - opened + - edited + - reopened workflow_dispatch: + env: TEST_SECRET: ${{ secrets.TEST_REPOSITORY_SECRET }} From 0ce2f5a0994901dc5a4d6010f72a4a7e3807b131 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 1 May 2025 20:02:34 -0700 Subject: [PATCH 12/12] fix syntax Signed-off-by: Andrew Brandt --- .github/workflows/test-for-secrets.yaml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test-for-secrets.yaml b/.github/workflows/test-for-secrets.yaml index 5c667b1..aeda06c 100644 --- a/.github/workflows/test-for-secrets.yaml +++ b/.github/workflows/test-for-secrets.yaml @@ -4,16 +4,18 @@ description: Test for secrets access. NEVER run this with a secret other than th on: pull_request_target: - - assigned - - unassigned - - labeled - - unlabeled - - opened - - edited - - reopened + types: + - assigned + - unassigned + - labeled + - unlabeled + - opened + - edited + - reopened workflow_dispatch: + env: TEST_SECRET: ${{ secrets.TEST_REPOSITORY_SECRET }}