fix: redact secret values from env (#252)

2026-05-14 22:00:34 +00:00 · 2025-08-22 09:38:59 -05:00 · 2025-08-22 09:38:59 -05:00 · 5e785b73cb
commit 5e785b73cb
parent 8a7168b4f6
6 changed files with 228 additions and 5 deletions
--- a/.github/workflows/test-redacted-env.yml
+++ b/.github/workflows/test-redacted-env.yml
@ -0,0 +1,72 @@
+name: Test Redacted Environment Variables
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  test-redacted-env:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Create test mise config with sensitive values
+        run: |
+          cat > .mise.toml << 'EOF'
+          [env]
+          PUBLIC_VAR = "this-is-public"
+          API_KEY = {value = "secret-api-key-12345", redact = true}
+          SECRET_TOKEN = {value = "supersecret-token-xyz", redact = true}
+          DATABASE_PASSWORD = {value = "db-pass-789", redact = true}
+          EOF
+      
+      - name: Setup mise
+        uses: ./
+      
+      - name: Verify environment variables are exported
+        run: |
+          echo "Checking if environment variables are set..."
+          
+          # Check that public var is set
+          if [ "$PUBLIC_VAR" != "this-is-public" ]; then
+            echo "ERROR: PUBLIC_VAR not set correctly"
+            exit 1
+          fi
+          echo "✓ PUBLIC_VAR is set correctly"
+          
+          # Check that sensitive vars are set (but their values should be masked in logs)
+          if [ -z "$API_KEY" ]; then
+            echo "ERROR: API_KEY not set"
+            exit 1
+          fi
+          echo "✓ API_KEY is set"
+          
+          if [ -z "$SECRET_TOKEN" ]; then
+            echo "ERROR: SECRET_TOKEN not set"
+            exit 1
+          fi
+          echo "✓ SECRET_TOKEN is set"
+          
+          if [ -z "$DATABASE_PASSWORD" ]; then
+            echo "ERROR: DATABASE_PASSWORD not set"
+            exit 1
+          fi
+          echo "✓ DATABASE_PASSWORD is set"
+      
+      - name: Test that sensitive values are masked (will show *** if properly masked)
+        run: |
+          echo "Testing value masking..."
+          echo "API_KEY value: $API_KEY"
+          echo "SECRET_TOKEN value: $SECRET_TOKEN"
+          echo "DATABASE_PASSWORD value: $DATABASE_PASSWORD"
+          echo "PUBLIC_VAR value: $PUBLIC_VAR"
+          
+          # This should show the actual values in the step output,
+          # but GitHub Actions should mask them if core.setSecret was called
+      
+      - name: Verify mise version
+        run: mise --version