Merge pull request #26 from githubocto/secrets-mask

feat: add a "mask" param to hide secrets from http_url

Author: irealva

README.md

@@ -99,6 +99,19 @@ In `http` mode this can be anything. This can be any endpoint: a json, csv, txt,
 
 A path to a local Deno javascript or typescript file for postprocessing the `downloaded_filename` file. Read more in the ["Postprocessing section"](https://github.com/githubocto/flat#postprocessing).
 
+#### `mask` (optional)
+
+If your `http_url` string contains secrets, you can choose to mask it from the commit message. You have two options:
+
+**Option 1**: use a string boolean
+
+`mask: true # removes the source entirely from the commit message, defaults to false`
+
+**Option 2**: use a string array with each secret to mask
+
+`mask: '["${{ secrets.SECRET1 }}", "${{ secrets.SECRET2 }}"]'`
+
+
 ### SQL Mode
 
 #### `sql_connstring`

action.yml

@@ -8,6 +8,9 @@ inputs:
   http_url:
     description: 'A URL containing data to fetch.'
     required: false
+  mask:
+    description: 'A string array of secrets to strip from the http_url or a string boolean'
+    required: false
   sql_connstring:
     description: 'A connection string for making a SQL query.'
     required: false

dist/index.js

@@ -233,6 +233,7 @@ const CommonConfigSchema = z.object({
 const HTTPConfigSchema = z
     .object({
     http_url: z.string(),
+    mask: z.string().optional() // string array of secrets or boolean
 })
     .merge(CommonConfigSchema);
 const SQLConfigSchema = z
@@ -247,12 +248,13 @@ function getConfig() {
     const keys = [
         'downloaded_filename',
         'http_url',
+        'mask',
         'sql_connstring',
         'sql_queryfile',
         'postprocess',
     ];
     keys.forEach(k => {
-        const v = core.getInput(k);
+        const v = core.getInput(k); // getInput always returns a string
         if (v) {
             raw[k] = v;
         }
@@ -449,9 +451,30 @@ async function run() {
     core.startGroup('Fetch data');
     let filename = '';
     let source;
+    let shouldMask = false; // by default we don't mask the source
+    let sourceMasked = '';
     if (config_1.isHTTPConfig(config)) {
         filename = await http_1.default(config);
         source = config.http_url;
+        // if including a mask config then we can strip out secrets from the http_url
+        sourceMasked = source; // if no secrets to mask then this is just source
+        if (config.mask) {
+            if (config.mask === 'true' || config.mask === 'false') { // mask param is a string
+                shouldMask = JSON.parse(config.mask); // convert to boolean
+            }
+            else {
+                try {
+                    const maskArray = JSON.parse(config.mask);
+                    maskArray.forEach((secretToMask) => {
+                        const regex = new RegExp(secretToMask, "g");
+                        sourceMasked = sourceMasked.replace(regex, "***");
+                    });
+                }
+                catch (error) {
+                    core.setFailed('Mask param formatted incorrectly. It should be a string array OR a "true" or "false" string.');
+                }
+            }
+        }
     }
     else if (config_1.isSQLConfig(config)) {
         filename = await sql_1.default(config);
@@ -497,8 +520,8 @@ async function run() {
         core.debug(`git adding ${filename}…`);
         await exec_1.exec('git', ['add', filename]);
         const bytes = await git_1.diff(filename);
-        // core.setOutput('delta_bytes', bytes)
-        editedFiles.push({ name: filename, deltaBytes: bytes, source });
+        const source = shouldMask ? {} : { source: sourceMasked };
+        editedFiles.push({ name: filename, deltaBytes: bytes, ...source });
     }
     core.endGroup();
     core.startGroup('Committing new data');