mirror of
https://github.com/go-task/task.git
synced 2026-07-01 00:24:30 +00:00
feat: do not log secret variables (#2514)
This commit is contained in:
83
testdata/secrets/Taskfile.yml
vendored
Normal file
83
testdata/secrets/Taskfile.yml
vendored
Normal file
@@ -0,0 +1,83 @@
|
||||
version: '3'
|
||||
|
||||
vars:
|
||||
# Public variable
|
||||
APP_NAME: myapp
|
||||
|
||||
# Secret variable with value
|
||||
API_KEY:
|
||||
value: "secret-api-key-123"
|
||||
secret: true
|
||||
|
||||
# Secret variable from shell command
|
||||
PASSWORD:
|
||||
sh: "echo 'my-super-secret-password'"
|
||||
secret: true
|
||||
|
||||
# Non-secret variable
|
||||
PUBLIC_URL: https://example.com
|
||||
|
||||
tasks:
|
||||
test-secret-masking:
|
||||
desc: Test that secret variables are masked in logs
|
||||
cmds:
|
||||
- echo "Deploying {{.APP_NAME}} to {{.PUBLIC_URL}}"
|
||||
- echo "Using API key {{.API_KEY}}"
|
||||
- echo "Password is {{.PASSWORD}}"
|
||||
- echo "Public app name is {{.APP_NAME}}"
|
||||
|
||||
test-multiple-secrets:
|
||||
desc: Test multiple secrets in one command
|
||||
cmds:
|
||||
- echo "API={{.API_KEY}} PWD={{.PASSWORD}}"
|
||||
|
||||
test-mixed:
|
||||
desc: Test mix of secret and public vars
|
||||
vars:
|
||||
LOCAL_SECRET:
|
||||
value: "task-level-secret"
|
||||
secret: true
|
||||
cmds:
|
||||
- echo "App={{.APP_NAME}} Secret={{.LOCAL_SECRET}} URL={{.PUBLIC_URL}}"
|
||||
|
||||
test-deferred-secret:
|
||||
desc: Test that deferred commands mask secrets
|
||||
vars:
|
||||
DEFERRED_SECRET:
|
||||
value: "deferred-secret-value"
|
||||
secret: true
|
||||
cmds:
|
||||
- echo "Starting task"
|
||||
- defer: echo "Cleanup with secret={{.DEFERRED_SECRET}} and app={{.APP_NAME}}"
|
||||
- echo "Main command executed"
|
||||
|
||||
test-dynamic-secret-verbose:
|
||||
desc: Test that dynamic (sh) secrets are masked even in verbose logs
|
||||
cmds:
|
||||
- echo "Password is {{.PASSWORD}}"
|
||||
|
||||
test-secret-key-order:
|
||||
desc: Test that "secret" may be declared before the value/sh key
|
||||
vars:
|
||||
SECRET_FIRST:
|
||||
secret: true
|
||||
value: "order-independent-secret"
|
||||
SH_SECRET_FIRST:
|
||||
secret: true
|
||||
sh: "echo 'sh-order-independent-secret'"
|
||||
cmds:
|
||||
- echo "Value={{.SECRET_FIRST}} Sh={{.SH_SECRET_FIRST}}"
|
||||
|
||||
test-env-secret-limitation:
|
||||
desc: Test showing that env vars with secret flag are NOT masked (limitation)
|
||||
env:
|
||||
SECRET_TOKEN:
|
||||
value: "env-secret-token-123"
|
||||
secret: true
|
||||
PUBLIC_ENV: "public-value"
|
||||
cmds:
|
||||
# Templates {{.VAR}} don't work with env - they're empty
|
||||
- echo "Token via template is {{.SECRET_TOKEN}}"
|
||||
# Shell $VAR works but is NOT masked (env vars not in template system)
|
||||
- echo "Token via shell is $SECRET_TOKEN"
|
||||
- echo "Public env is {{.PUBLIC_ENV}}"
|
||||
6
testdata/secrets/testdata/TestSecretVars-deferred_command_with_secrets.golden
vendored
Normal file
6
testdata/secrets/testdata/TestSecretVars-deferred_command_with_secrets.golden
vendored
Normal file
@@ -0,0 +1,6 @@
|
||||
task: [test-deferred-secret] echo "Starting task"
|
||||
Starting task
|
||||
task: [test-deferred-secret] echo "Main command executed"
|
||||
Main command executed
|
||||
task: [test-deferred-secret] echo "Cleanup with secret=***** and app=myapp"
|
||||
Cleanup with secret=deferred-secret-value and app=myapp
|
||||
5
testdata/secrets/testdata/TestSecretVars-dynamic_secret_masked_in_verbose.golden
vendored
Normal file
5
testdata/secrets/testdata/TestSecretVars-dynamic_secret_masked_in_verbose.golden
vendored
Normal file
@@ -0,0 +1,5 @@
|
||||
task: dynamic variable: "echo 'my-super-secret-password'" result: "*****"
|
||||
task: "test-dynamic-secret-verbose" started
|
||||
task: [test-dynamic-secret-verbose] echo "Password is *****"
|
||||
Password is my-super-secret-password
|
||||
task: "test-dynamic-secret-verbose" finished
|
||||
6
testdata/secrets/testdata/TestSecretVars-env_secret_limitation.golden
vendored
Normal file
6
testdata/secrets/testdata/TestSecretVars-env_secret_limitation.golden
vendored
Normal file
@@ -0,0 +1,6 @@
|
||||
task: [test-env-secret-limitation] echo "Token via template is "
|
||||
Token via template is
|
||||
task: [test-env-secret-limitation] echo "Token via shell is $SECRET_TOKEN"
|
||||
Token via shell is env-secret-token-123
|
||||
task: [test-env-secret-limitation] echo "Public env is "
|
||||
Public env is
|
||||
2
testdata/secrets/testdata/TestSecretVars-mixed_secret_and_public_vars.golden
vendored
Normal file
2
testdata/secrets/testdata/TestSecretVars-mixed_secret_and_public_vars.golden
vendored
Normal file
@@ -0,0 +1,2 @@
|
||||
task: [test-mixed] echo "App=myapp Secret=***** URL=https://example.com"
|
||||
App=myapp Secret=task-level-secret URL=https://example.com
|
||||
2
testdata/secrets/testdata/TestSecretVars-multiple_secrets_masked.golden
vendored
Normal file
2
testdata/secrets/testdata/TestSecretVars-multiple_secrets_masked.golden
vendored
Normal file
@@ -0,0 +1,2 @@
|
||||
task: [test-multiple-secrets] echo "API=***** PWD=*****"
|
||||
API=secret-api-key-123 PWD=my-super-secret-password
|
||||
2
testdata/secrets/testdata/TestSecretVars-secret_key_order_independent.golden
vendored
Normal file
2
testdata/secrets/testdata/TestSecretVars-secret_key_order_independent.golden
vendored
Normal file
@@ -0,0 +1,2 @@
|
||||
task: [test-secret-key-order] echo "Value=***** Sh=*****"
|
||||
Value=order-independent-secret Sh=sh-order-independent-secret
|
||||
8
testdata/secrets/testdata/TestSecretVars-secret_vars_are_masked_in_logs.golden
vendored
Normal file
8
testdata/secrets/testdata/TestSecretVars-secret_vars_are_masked_in_logs.golden
vendored
Normal file
@@ -0,0 +1,8 @@
|
||||
task: [test-secret-masking] echo "Deploying myapp to https://example.com"
|
||||
Deploying myapp to https://example.com
|
||||
task: [test-secret-masking] echo "Using API key *****"
|
||||
Using API key secret-api-key-123
|
||||
task: [test-secret-masking] echo "Password is *****"
|
||||
Password is my-super-secret-password
|
||||
task: [test-secret-masking] echo "Public app name is myapp"
|
||||
Public app name is myapp
|
||||
15
testdata/secrets/testdata/TestSecretVars-secret_vars_are_masked_in_summary.golden
vendored
Normal file
15
testdata/secrets/testdata/TestSecretVars-secret_vars_are_masked_in_summary.golden
vendored
Normal file
@@ -0,0 +1,15 @@
|
||||
task: test-secret-masking
|
||||
|
||||
Test that secret variables are masked in logs
|
||||
|
||||
vars:
|
||||
APP_NAME: "myapp"
|
||||
API_KEY: *****
|
||||
PASSWORD: *****
|
||||
PUBLIC_URL: "https://example.com"
|
||||
|
||||
commands:
|
||||
- echo "Deploying myapp to https://example.com"
|
||||
- echo "Using API key *****"
|
||||
- echo "Password is *****"
|
||||
- echo "Public app name is myapp"
|
||||
Reference in New Issue
Block a user