fix: ensure token is masked (#4)

npalm · web-flow · commit c59866487153 · 2021-03-14T13:12:46.000+01:00
* fix: ensure token is masked

* chore: use github action token for dry run release.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -53,7 +53,7 @@ jobs:
 
       - name: Dry run release
         env:
-          GITHUB_TOKEN: ${{ steps.app.outputs.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: yarn && yarn run release -d -b ${{ steps.branch.outputs.short_ref }}
 
       - name: Release
diff --git a/dist/index.js b/dist/index.js
@@ -15302,7 +15302,7 @@ const getAppInstallationToken = (privateKey, appId, org) => __awaiter(void 0, vo
 });
 exports.getAppInstallationToken = getAppInstallationToken;
 const getToken = (parameters) => __awaiter(void 0, void 0, void 0, function* () {
-    let token = undefined;
+    let token;
     const privateKey = Buffer.from(parameters.base64PrivateKey, 'base64').toString();
     switch (parameters.type) {
         case 'installation': {
@@ -15374,6 +15374,8 @@ function run() {
                 type: authType,
                 org,
             });
+            // some github magic seems masking the token by default, but just to ensure it is registered as secret.
+            core.setSecret(token);
             core.setOutput('token', token);
         }
         catch (error) {
diff --git a/src/auth.ts b/src/auth.ts
@@ -44,8 +44,8 @@ export const getAppInstallationToken = async (privateKey: string, appId: number,
   }
 };
 
-export const getToken = async (parameters: Parameters): Promise<string | undefined> => {
-  let token = undefined;
+export const getToken = async (parameters: Parameters): Promise<string> => {
+  let token: string;
 
   const privateKey = Buffer.from(parameters.base64PrivateKey, 'base64').toString();
   switch (parameters.type) {
@@ -58,5 +58,6 @@ export const getToken = async (parameters: Parameters): Promise<string | undefin
       break;
     }
   }
+
   return token;
 };
diff --git a/src/main.ts b/src/main.ts
@@ -19,6 +19,8 @@ async function run(): Promise<void> {
       org,
     });
 
+    // some github magic seems masking the token by default, but just to ensure it is registered as secret.
+    core.setSecret(token);
     core.setOutput('token', token);
   } catch (error) {
     core.debug(error);

Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,8 @@ export const getAppInstallationToken = async (privateKey: string, appId: number,`
`44`	`44`	`}`
`45`	`45`	`};`
`46`	`46`
`47`		`-export const getToken = async (parameters: Parameters): Promise<string \| undefined> => {`
`48`		`- let token = undefined;`
	`47`	`+export const getToken = async (parameters: Parameters): Promise<string> => {`
	`48`	`+ let token: string;`
`49`	`49`
`50`	`50`	`const privateKey = Buffer.from(parameters.base64PrivateKey, 'base64').toString();`
`51`	`51`	`switch (parameters.type) {`
`@@ -58,5 +58,6 @@ export const getToken = async (parameters: Parameters): Promise<string \| undefin`
`58`	`58`	`break;`
`59`	`59`	`}`
`60`	`60`	`}`
	`61`	`+`
`61`	`62`	`return token;`
`62`	`63`	`};`