Mask base64 cert and document add-mask stdout requirement
DeveloperIDCertBase64 is the .p12 contents and equally sensitive as the password — register it with the log scrubber so a future code path that accidentally wraps cfg in a debug log can't leak it. Also documents why maskSecrets writes to stdout rather than stderr. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
97fb47d023
commit
445c99e6c4
|
|
@ -189,8 +189,12 @@ func run(ctx context.Context) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// maskSecrets registers every credential value with the runner's log
|
||||||
|
// scrubber via ::add-mask:: directives. These directives MUST be written
|
||||||
|
// to stdout (not stderr) — the runner's command-parser only reads stdout.
|
||||||
func maskSecrets(c *config.Config) {
|
func maskSecrets(c *config.Config) {
|
||||||
for _, v := range []string{
|
for _, v := range []string{
|
||||||
|
c.DeveloperIDCertBase64,
|
||||||
c.DeveloperIDCertPassword,
|
c.DeveloperIDCertPassword,
|
||||||
c.NotarizationAPIKeyBase64,
|
c.NotarizationAPIKeyBase64,
|
||||||
c.NotarizationApplePassword,
|
c.NotarizationApplePassword,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue