Merge pull request #76 from drone-runners/CI-15733

ShobhitSingh11 · web-flow · commit 9ea626aa4217 · 2025-01-29T03:58:42.000+05:30
fix: [CI-15903]: Fixed secret masking issue with drone docker runner
diff --git a/engine/compiler/compiler.go b/engine/compiler/compiler.go
@@ -390,15 +390,28 @@ func (c *Compiler) Compile(ctx context.Context, args runtime.CompilerArgs) runti
 		removeCloneDeps(spec)
 	}
 
+	// Creating an object to store a secret data which which will be injected across all steps for masking.
+	var secretData [][]byte
 	for _, step := range spec.Steps {
 		for _, s := range step.Secrets {
 			secret, ok := c.findSecret(ctx, args, s.Name)
 			if ok {
 				s.Data = []byte(secret)
+				secretData = append(secretData, []byte(secret))
 			}
 		}
 	}
 
+	for _, value := range secretData {
+		for _, step := range spec.Steps {
+			e := &engine.Secret{
+				Data: value,
+				Mask: true,
+			}
+			step.Secrets = append(step.Secrets, e)
+		}
+	}
+
 	// get registry credentials from registry plugins
 	creds, err := c.Registry.List(ctx, &registry.Request{
 		Repo:  args.Repo,
@@ -525,7 +538,6 @@ func (c *Compiler) Compile(ctx context.Context, args runtime.CompilerArgs) runti
 		}
 		spec.Volumes = append(spec.Volumes, src)
 	}
-
 	return spec
 }
 
diff --git a/engine/convert.go b/engine/convert.go
@@ -32,7 +32,9 @@ func toConfig(spec *Spec, step *Step) *container.Config {
 		config.Env = toEnv(step.Envs)
 	}
 	for _, sec := range step.Secrets {
-		config.Env = append(config.Env, sec.Env+"="+string(sec.Data))
+		if sec.Env != "" {
+			config.Env = append(config.Env, sec.Env+"="+string(sec.Data))
+		}
 	}
 
 	if len(step.Entrypoint) != 0 {

Original file line number	Diff line number	Diff line change
`@@ -390,15 +390,28 @@ func (c *Compiler) Compile(ctx context.Context, args runtime.CompilerArgs) runti`
`390`	`390`	`removeCloneDeps(spec)`
`391`	`391`	`}`
`392`	`392`
	`393`	`+ // Creating an object to store a secret data which which will be injected across all steps for masking.`
	`394`	`+ var secretData [][]byte`
`393`	`395`	`for _, step := range spec.Steps {`
`394`	`396`	`for _, s := range step.Secrets {`
`395`	`397`	`secret, ok := c.findSecret(ctx, args, s.Name)`
`396`	`398`	`if ok {`
`397`	`399`	`s.Data = []byte(secret)`
	`400`	`+ secretData = append(secretData, []byte(secret))`
`398`	`401`	`}`
`399`	`402`	`}`
`400`	`403`	`}`
`401`	`404`
	`405`	`+ for _, value := range secretData {`
	`406`	`+ for _, step := range spec.Steps {`
	`407`	`+ e := &engine.Secret{`
	`408`	`+ Data: value,`
	`409`	`+ Mask: true,`
	`410`	`+ }`
	`411`	`+ step.Secrets = append(step.Secrets, e)`
	`412`	`+ }`
	`413`	`+ }`
	`414`	`+`
`402`	`415`	`// get registry credentials from registry plugins`
`403`	`416`	`creds, err := c.Registry.List(ctx, &registry.Request{`
`404`	`417`	`Repo: args.Repo,`
`@@ -525,7 +538,6 @@ func (c *Compiler) Compile(ctx context.Context, args runtime.CompilerArgs) runti`
`525`	`538`	`}`
`526`	`539`	`spec.Volumes = append(spec.Volumes, src)`
`527`	`540`	`}`
`528`		`-`
`529`	`541`	`return spec`
`530`	`542`	`}`
`531`	`543`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,9 @@ func toConfig(spec Spec, step Step) *container.Config {`
`32`	`32`	`config.Env = toEnv(step.Envs)`
`33`	`33`	`}`
`34`	`34`	`for _, sec := range step.Secrets {`
`35`		`- config.Env = append(config.Env, sec.Env+"="+string(sec.Data))`
	`35`	`+ if sec.Env != "" {`
	`36`	`+ config.Env = append(config.Env, sec.Env+"="+string(sec.Data))`
	`37`	`+ }`
`36`	`38`	`}`
`37`	`39`
`38`	`40`	`if len(step.Entrypoint) != 0 {`