From 48351901f89581a7c12870c787d3f06d1f498438 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 3 Jul 2026 14:08:39 +0200 Subject: [PATCH] skip empty registry-auth secret mask Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- __tests__/context.test.ts | 37 ++++++++++++++++++++++++++++++++++++- src/context.ts | 4 +++- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts index 622474f..21ac148 100644 --- a/__tests__/context.test.ts +++ b/__tests__/context.test.ts @@ -1,4 +1,4 @@ -import {afterEach, expect, test} from 'vitest'; +import {afterEach, expect, test, vi} from 'vitest'; import * as path from 'path'; import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js'; @@ -6,6 +6,7 @@ import {Buildx} from '@docker/actions-toolkit/lib/buildx/buildx.js'; import {getAuthList, getInputs} from '../src/context.js'; afterEach(() => { + vi.restoreAllMocks(); for (const key of Object.keys(process.env)) { if (key.startsWith('INPUT_')) { delete process.env[key]; @@ -33,3 +34,37 @@ test('getAuthList uses the default Docker Hub registry when computing scoped con configDir: path.join(Buildx.configDir, 'config', 'registry-1.docker.io', 'myscope') }); }); + +test('getAuthList skips secret masking when registry-auth password is absent', async () => { + const stdoutWriteSpy = vi.spyOn(process.stdout, 'write').mockImplementation(() => true); + const [auth] = getAuthList({ + registry: '', + username: '', + password: '', + scope: '', + ecr: '', + logout: true, + registryAuth: '- registry: public.ecr.aws\n' + }); + + expect(stdoutWriteSpy.mock.calls.map(call => call[0]).join('')).not.toContain('::add-mask::'); + expect(auth).toMatchObject({ + registry: 'public.ecr.aws', + ecr: 'auto' + }); +}); + +test('getAuthList masks registry-auth password when present', async () => { + const stdoutWriteSpy = vi.spyOn(process.stdout, 'write').mockImplementation(() => true); + getAuthList({ + registry: '', + username: '', + password: '', + scope: '', + ecr: '', + logout: true, + registryAuth: '- registry: ghcr.io\n username: dbowie\n password: groundcontrol\n' + }); + + expect(stdoutWriteSpy.mock.calls.map(call => call[0]).join('')).toContain('::add-mask::groundcontrol'); +}); diff --git a/src/context.ts b/src/context.ts index e2e7bb4..2443c66 100644 --- a/src/context.ts +++ b/src/context.ts @@ -53,7 +53,9 @@ export function getAuthList(inputs: Inputs): Array { }); } else { auths = (yaml.load(inputs.registryAuth) as Array).map(auth => { - core.setSecret(auth.password); // redacted in workflow logs + if (auth.password) { + core.setSecret(auth.password); // redacted in workflow logs + } const registry = auth.registry || 'docker.io'; return { registry,