From fbef2c7bd0be9b978b85dd4bca7a228ef9aef7eb Mon Sep 17 00:00:00 2001 From: Camilo Celis Guzman Date: Wed, 19 Oct 2022 10:41:11 +0000 Subject: [PATCH] Add an action input/flag to disable logging of public key information (#122) This commit adds the new `log-public-key` action input. Closes #122 (contains the suggested changes plus a few tweaks and documentation), fixes #100. Co-authored-by: Matthias Pigulla --- CHANGELOG.md | 2 ++ README.md | 9 +++++++++ action.yml | 4 ++++ dist/index.js | 6 ++++-- index.js | 6 ++++-- 5 files changed, 23 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5075807..2e27463 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] + * Add the `log-public-key` input that can be used to turn off logging key identities (#122) + ## v0.6.0 [2022-10-19] ### Changed diff --git a/README.md b/README.md index 328182b..7924d98 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,16 @@ To support picking the right key in this use case, this action scans _key commen 3. For key comments containing such URLs, a Git config setting is written that uses [`url..insteadof`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf). It will redirect `git` requests to URLs starting with either `https://github.com/owner/repo` or `git@github.com:owner/repo` to a fake hostname/URL like `git@...some.hash...:owner/repo`. 4. An SSH configuration section is generated that applies to the fake hostname. It will map the SSH connection back to `github.com`, while at the same time pointing SSH to a file containing the appropriate key's public part. That will make SSH use the right key when connecting to GitHub.com. +## Action Inputs + +The following inputs can be used to control the action's behavior: + +* `ssh-private-key`: Required. Use this to provide the key(s) to load as GitHub Actions secrets. +* `ssh-auth-sock`: Can be used to control where the SSH agent socket will be placed. Ultimately affects the `$SSH_AUTH_SOCK` environment variable. +* `log-public-key`: Set this to `false` if you want to suppress logging of _public_ key information. To simplify debugging and since it contains public key information only, this is turned on by default. + ## Exported variables + The action exports the `SSH_AUTH_SOCK` and `SSH_AGENT_PID` environment variables through the Github Actions core module. The `$SSH_AUTH_SOCK` is used by several applications like git or rsync to connect to the SSH authentication agent. The `$SSH_AGENT_PID` contains the process id of the agent. This is used to kill the agent in post job action. diff --git a/action.yml b/action.yml index 5e782f5..ec3dfd9 100644 --- a/action.yml +++ b/action.yml @@ -6,6 +6,10 @@ inputs: required: true ssh-auth-sock: description: 'Where to place the SSH Agent auth socket' + log-public-key: + description: 'Whether or not to log public key fingerprints' + required: false + default: true runs: using: 'node16' main: 'dist/index.js' diff --git a/dist/index.js b/dist/index.js index fe01c67..46f6582 100644 --- a/dist/index.js +++ b/dist/index.js @@ -326,6 +326,7 @@ const { home, sshAgent, sshAdd } = __webpack_require__(972); try { const privateKey = core.getInput('ssh-private-key'); + const logPublicKey = core.getBooleanInput('log-public-key', {default: true}); if (!privateKey) { core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file."); @@ -374,8 +375,9 @@ try { const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i); if (!parts) { - console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); - + if (logPublicKey) { + console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); + } return; } diff --git a/index.js b/index.js index e08d46f..5dbc831 100644 --- a/index.js +++ b/index.js @@ -6,6 +6,7 @@ const { home, sshAgent, sshAdd } = require('./paths.js'); try { const privateKey = core.getInput('ssh-private-key'); + const logPublicKey = core.getBooleanInput('log-public-key', {default: true}); if (!privateKey) { core.setFailed("The ssh-private-key argument is empty. Maybe the secret has not been configured, or you are using a wrong secret name in your workflow file."); @@ -54,8 +55,9 @@ try { const parts = key.match(/\bgithub\.com[:/]([_.a-z0-9-]+\/[_.a-z0-9-]+)/i); if (!parts) { - console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); - + if (logPublicKey) { + console.log(`Comment for (public) key '${key}' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.`); + } return; }