#Hide Secrets in OpName?

1 messages ยท Page 1 of 1 (latest)

idle meadow
#

I'm doing a git clone, and noticing that my token is logged....

I've looked a bit through secrets, and it seems they only apply why you can use a withSecret block.

Is there a way to protect my credentials when using the dagger.Git method? (I must use HTTPS / GH Token, can't use SSH)

Example Code

func insertCredentials(url string) (string, error) {
    username := os.Getenv("GITHUB_USERNAME")
    password := os.Getenv("GITHUB_TOKEN")
    const githubPrefix = "https://github.com/"
    if !strings.HasPrefix(url, githubPrefix) {
        return "", fmt.Errorf("invalid GitHub URL: %s", url)
    }

    // Replace the github prefix with a new prefix containing the credentials
    newPrefix := fmt.Sprintf("https://%s:%s@github.com/", username, password)
    return strings.Replace(url, githubPrefix, newPrefix, 1), nil
}
....

// In main func

    gitURL, err := insertCredentials("https://github.com/dagger/dagger")
    if err != nil {
        log.Error(err)
        return err
    }
    c.SetSecret("ghApiToken", os.Getenv("GITHUB_TOKEN")) // added per request
    src := c.Git(gitURL, dagger.GitOpts{KeepGitDir: true}).
....

This results in a logged opName like this....

git://me:my_token_oops@github.com/foo/service-bar.git#ref
#

Hide Secrets in OpName?

manic steppe
idle meadow
#

nope - still logged ๐Ÿ˜ฆ

#

plz note in the snippet I'm not actually in a container step. I'm using git directly from dagger client

manic steppe
idle meadow
#

sure

manic steppe
#

Thanks again for joining me and for making this super clear Steven!

So the core issue here is the dagger.Git(url) expects a string and we are not able to pass in a Dagger Secret since it is not a string.

Does anyone else have any suggestions here?

idle meadow
manic steppe
idle meadow
manic steppe
#

This is so strange but I am getting different output when I run your same snippet (using 0.8.8)

levlaz@Levs-MacBook-Pro dagger-cloud-sandbox % dagger run go run . 
โ”ฃโ”€โ•ฎ 
โ”‚ โ–ฝ init
โ”‚ โ–ˆ [1.03s] connect
โ”‚ โ”ฃ [0.83s] starting engine
โ”‚ โ”ฃ [0.20s] starting session
โ”‚ โ”ƒ Failed to connect; retrying... name:"error" value:"make request: Post \"http://dagger/query\": rpc error: code = Unknown desc =
โ”‚ โ”ƒ  server \"bng8kadl1gmp99g9150tpa1ak\" not found"                                                                               
โ”‚ โ”ƒ OK!                                                                                                                            
โ”‚ โ”ป 
โ–ˆ [1.06s] go run .
โ–ˆ [0.27s] git://github.com/dagger/dagger#main
โ”ƒ 94c8f92d7dd99616e4c6db05e5d0e4cd94ab13d6        refs/heads/main                                                                  
โ–ˆ [0.11s] ERROR exec ls -la /src

I am not sure if anything changed across versions to specifically address this issue or if its actually another bug. If I run the snippet with 0.8.7 I see the same output as you.

#

Even when I don't do setSecret I still see this output in 0.8.8

โ–ˆ [4.83s] go run .
โ–ˆ [0.24s] git://github.com/dagger/dagger#main
manic steppe
#

One more datapoint, In 0.8.8 if I run with --debug flag then I do see the secret printed in the logs.

levlaz@Levs-MacBook-Pro dagger-cloud-sandbox % dagger run --debug go run .  
โ”ฃโ”€โ•ฎ 
โ”‚ โ–ฝ init
โ”‚ โ–ˆ [0.91s] connect
โ”‚ โ”ฃ [0.76s] starting engine
โ”‚ โ”ฃ [0.15s] starting session
โ”‚ โ”ƒ Failed to connect; retrying... name:"error" value:"make request: Post \"http://dagger/query\": rpc error: code = Unknown desc =
โ”‚ โ”ƒ  server \"mddbkyg34uh7z7rj7tmkrxhow\" not found"                                                                               
โ”‚ โ”ƒ OK!                                                                                                                            
โ”‚ โ”ป 
โ–ˆ [0.00s] defaultPlatform
โ–ˆ [1.64s] go run .
โ–ˆ [0.00s] checkVersionCompatibility(version: "0.8.8")
โ–ˆ [0.00s] git(url: "https://username:please-dont-print@github.com/dagger/dagger", keepGitDir: true)
โ–ˆ [0.00s] branch(name: "main")
โ–ˆ [0.00s] tree