chore: mask secrets in CI runs (#789)

Author: vladfrangu

.github/workflows/check.yaml

@@ -22,6 +22,10 @@ jobs:
                 node-version: [18, 20, 22]
 
         steps:
+            - name: Mask secrets
+              run: |
+                  echo "::add-mask::${{ secrets.APIFY_TEST_USER_API_TOKEN }}"
+
             - uses: actions/checkout@v4
 
             - name: Use Node.js ${{ matrix.node-version }}
@@ -61,6 +65,10 @@ jobs:
         runs-on: ${{ matrix.os }}
 
         steps:
+            - name: Mask secrets
+              run: |
+                  echo "::add-mask::${{ secrets.APIFY_TEST_USER_API_TOKEN }}"
+
             - uses: actions/checkout@v4
 
             - name: Use Node.js 20

.github/workflows/cucumber.yaml

@@ -23,6 +23,10 @@ jobs:
         runs-on: ${{ matrix.os }}
 
         steps:
+            - name: Mask secrets
+              run: |
+                  echo "::add-mask::${{ secrets.APIFY_TEST_USER_API_TOKEN }}"
+
             - uses: actions/checkout@v4
 
             - name: Use Node.js ${{ matrix.node-version }}

eslint.config.mjs

@@ -74,4 +74,16 @@ export default [
 			'consistent-return': 'off',
 		},
 	},
+	{
+		files: ['test/**/*'],
+		rules: {
+			'no-restricted-syntax': [
+				'error',
+				{
+					'selector': "CallExpression[callee.object.name='LoginCommand'][callee.property.name='run']",
+					'message': 'Use safeLogin() from test/__setup__/hooks/useAuthSetup.ts instead',
+				},
+			],
+		},
+	},
 ];

test/__setup__/config.ts

@@ -1,4 +1,7 @@
+import { EOL } from 'node:os';
+
 import { ApifyClient } from 'apify-client';
+import isCI from 'is-ci';
 
 import { getApifyClientOptions } from '../../src/lib/utils.js';
 
@@ -14,3 +17,8 @@ export const testUserClient = new ApifyClient(getApifyClientOptions(ENV_TEST_USE
 export const badUserClient = new ApifyClient(getApifyClientOptions(TEST_USER_BAD_TOKEN));
 
 export const TEST_USER_TOKEN = ENV_TEST_USER_TOKEN;
+
+if (isCI) {
+	process.stdout.write(`CI environment detected, masking secrets as they are created${EOL}`);
+	process.stdout.write(`${EOL}::add-mask::${TEST_USER_TOKEN}${EOL}`);
+}

test/__setup__/hooks/useAuthSetup.ts

@@ -1,8 +1,14 @@
 import { rm } from 'node:fs/promises';
+import { EOL } from 'node:os';
+
+import isCI from 'is-ci';
 
 import { cryptoRandomObjectId } from '@apify/utilities';
 
+import { LoginCommand } from '../../../src/commands/login.js';
 import { GLOBAL_CONFIGS_FOLDER } from '../../../src/lib/consts.js';
+import { getLocalUserInfo } from '../../../src/lib/utils.js';
+import { TEST_USER_TOKEN } from '../config.js';
 
 export interface UseAuthSetupOptions {
 	/**
@@ -43,3 +49,18 @@ export function useAuthSetup({ cleanup, perTest }: UseAuthSetupOptions = { clean
 		vitest.unstubAllEnvs();
 	});
 }
+
+export async function safeLogin(tokenOverride?: string) {
+	// eslint-disable-next-line no-restricted-syntax
+	await LoginCommand.run(['--token', tokenOverride ?? TEST_USER_TOKEN], import.meta.url);
+
+	try {
+		const userInfo = await getLocalUserInfo();
+
+		if (userInfo?.proxy?.password && isCI) {
+			process.stdout.write(`${EOL}::add-mask::${userInfo.proxy.password}${EOL}`);
+		}
+	} catch {
+		// Do nothing
+	}
+}

test/commands/call.test.ts

@@ -6,11 +6,10 @@ import { captureOutput } from '@oclif/test';
 
 import { cryptoRandomObjectId } from '@apify/utilities';
 
-import { LoginCommand } from '../../src/commands/login.js';
 import { getLocalKeyValueStorePath } from '../../src/lib/utils.js';
 import { waitForBuildToFinishWithTimeout } from '../__setup__/build-utils.js';
-import { TEST_USER_TOKEN, testUserClient } from '../__setup__/config.js';
-import { useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
+import { testUserClient } from '../__setup__/config.js';
+import { safeLogin, useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
 import { useTempPath } from '../__setup__/hooks/useTempPath.js';
 
 const ACTOR_NAME = `call-my-actor-${cryptoRandomObjectId(6)}-${process.version.split('.')[0]}-${platform()}`;
@@ -48,7 +47,7 @@ describe('apify call', () => {
 
 		const { username } = await testUserClient.user('me').get();
 
-		await LoginCommand.run(['--token', TEST_USER_TOKEN], import.meta.url);
+		await safeLogin();
 		await CreateCommand.run(
 			[ACTOR_NAME, '--template', 'project_empty', '--skip-dependency-install'],
 			import.meta.url,

test/commands/info.test.ts

@@ -3,10 +3,8 @@ import { readFileSync } from 'node:fs';
 import { runCommand } from '@oclif/test';
 
 import { InfoCommand } from '../../src/commands/info.js';
-import { LoginCommand } from '../../src/commands/login.js';
 import { AUTH_FILE_PATH } from '../../src/lib/consts.js';
-import { TEST_USER_TOKEN } from '../__setup__/config.js';
-import { useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
+import { safeLogin, useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
 
 useAuthSetup();
 
@@ -20,7 +18,7 @@ describe('apify info', () => {
 	it('should work when logged in', async () => {
 		const spy = vitest.spyOn(console, 'log');
 
-		await LoginCommand.run(['--token', TEST_USER_TOKEN], import.meta.url);
+		await safeLogin();
 		await InfoCommand.run([], import.meta.url);
 
 		const userInfoFromConfig = JSON.parse(readFileSync(AUTH_FILE_PATH(), 'utf8'));

test/commands/log_in_out.test.ts

@@ -5,7 +5,7 @@ import type { MockInstance } from 'vitest';
 
 import { AUTH_FILE_PATH } from '../../src/lib/consts.js';
 import { TEST_USER_BAD_TOKEN, TEST_USER_TOKEN, testUserClient } from '../__setup__/config.js';
-import { useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
+import { safeLogin, useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
 
 vitest.setConfig({ restoreMocks: false });
 useAuthSetup();
@@ -25,14 +25,14 @@ describe('apify login and logout', () => {
 	});
 
 	it('should end with Error with bad token', async () => {
-		await LoginCommand.run(['--token', TEST_USER_BAD_TOKEN], import.meta.url);
+		await safeLogin(TEST_USER_BAD_TOKEN);
 
 		expect(spy).toHaveBeenCalledTimes(1);
 		expect(spy.mock.calls[0][0]).to.include('Error:');
 	});
 
 	it('should work with correct token', async () => {
-		await LoginCommand.run(['--token', TEST_USER_TOKEN], import.meta.url);
+		await safeLogin(TEST_USER_TOKEN);
 
 		const expectedUserInfo = Object.assign(await testUserClient.user('me').get(), {
 			token: TEST_USER_TOKEN,
@@ -67,6 +67,7 @@ describe('apify login and logout', () => {
 	});
 
 	it('have correctly setup server for interactive login', async () => {
+		// eslint-disable-next-line no-restricted-syntax -- intentional test
 		await LoginCommand.run(['-m', 'console'], import.meta.url);
 
 		const consoleInfo = spy.mock.calls[0][1];

test/commands/pull.test.ts

@@ -5,10 +5,9 @@ import { join } from 'node:path';
 import { runCommand } from '@oclif/test';
 import type { ActorCollectionCreateOptions } from 'apify-client';
 
-import { LoginCommand } from '../../src/commands/login.js';
 import { DEPRECATED_LOCAL_CONFIG_NAME, LOCAL_CONFIG_PATH } from '../../src/lib/consts.js';
-import { TEST_USER_TOKEN, testUserClient } from '../__setup__/config.js';
-import { useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
+import { testUserClient } from '../__setup__/config.js';
+import { safeLogin, useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
 import { useProcessMock } from '../__setup__/hooks/useProcessMock.js';
 
 const TEST_ACTOR_SOURCE_FILES: ActorCollectionCreateOptions = {
@@ -111,7 +110,7 @@ describe('apify pull', () => {
 	const actorNamesForCleanup = new Set<string>();
 
 	beforeAll(async () => {
-		await LoginCommand.run(['--token', TEST_USER_TOKEN], import.meta.url);
+		await safeLogin();
 	});
 
 	afterAll(async () => {

test/commands/push.test.ts

@@ -9,8 +9,8 @@ import { cryptoRandomObjectId } from '@apify/utilities';
 
 import { LOCAL_CONFIG_PATH } from '../../src/lib/consts.js';
 import { createSourceFiles, getActorLocalFilePaths, getLocalUserInfo } from '../../src/lib/utils.js';
-import { TEST_USER_TOKEN, testUserClient } from '../__setup__/config.js';
-import { useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
+import { testUserClient } from '../__setup__/config.js';
+import { safeLogin, useAuthSetup } from '../__setup__/hooks/useAuthSetup.js';
 import { useConsoleSpy } from '../__setup__/hooks/useConsoleSpy.js';
 import { useTempPath } from '../__setup__/hooks/useTempPath.js';
 import { resetCwdCaches } from '../__setup__/reset-cwd-caches.js';
@@ -43,7 +43,6 @@ const {
 	forceNewCwd,
 } = useTempPath(ACTOR_NAME, { create: true, remove: true, cwd: true, cwdParent: true });
 
-const { LoginCommand } = await import('../../src/commands/login.js');
 const { CreateCommand } = await import('../../src/commands/create.js');
 const { ActorsPushCommand } = await import('../../src/commands/actors/push.js');
 
@@ -55,7 +54,7 @@ describe('apify push', () => {
 	beforeAll(async () => {
 		await beforeAllCalls();
 
-		await LoginCommand.run(['--token', TEST_USER_TOKEN], import.meta.url);
+		await safeLogin();
 		await CreateCommand.run([ACTOR_NAME, '--template', ACT_TEMPLATE, '--skip-dependency-install'], import.meta.url);
 
 		toggleCwdBetweenFullAndParentPath();