Secret and Artifact Leakage Test #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret and Artifact Leakage Test | |
| on: | |
| workflow_dispatch: # 手动触发 | |
| jobs: | |
| test: | |
| runs-on: self-hosted | |
| steps: | |
| # 1. 检出代码仓库 | |
| - name: Checkout Repository | |
| uses: actions/checkout@v2 | |
| # 2. 缓存 Node.js 依赖(如果有 package-lock.json) | |
| - name: Cache Node modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: node_modules | |
| key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} | |
| # 3. 设置 Node.js 环境 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v2 | |
| with: | |
| node-version: '14' | |
| # 4. 安装 npm 依赖(如果 package.json 存在) | |
| - name: Install npm dependencies | |
| run: | | |
| if [ -f package.json ]; then | |
| npm install | |
| else | |
| echo "No package.json found. Skipping npm install." | |
| fi | |
| # 5. 安全使用 Secret:通过环境变量引用 | |
| - name: Safe Secret Usage (Env Variable) | |
| env: | |
| DB_PASSWORD: ${{ secrets.DB_PASSWORD }} | |
| run: | | |
| echo "Safe usage: DB_PASSWORD is $DB_PASSWORD" | |
| # 6. 不安全使用 Secret:直接作为参数传递 | |
| - name: Unsafe Secret Usage (Inline) | |
| run: echo "Unsafe usage-- DB_PASSWORD is ${{ secrets.DB_PASSWORD }}" | |
| # 7. 测试 Secret 掩码策略(新增部分)################################ | |
| - name: Test Secret Masking - Env Variable (TEST) | |
| env: | |
| TEST: ${{ secrets.TEST }} | |
| run: | | |
| echo "TEST 的值(环境变量): $TEST" | |
| - name: Test Secret Masking - Concatenated (DB_PASSWORD + 'b') | |
| run: | | |
| echo "DB_PASSWORD + 'b': ${{ secrets.DB_PASSWORD }}b" | |
| - name: Test Secret Masking - Base64 Encoded | |
| run: | | |
| echo "Base64(DB_PASSWORD): $(echo -n ${{ secrets.DB_PASSWORD }} | base64 -w0)" | |
| # 8. 使用第三方 Action 示例(新增)################################ | |
| - name: HTTP Request Example | |
| uses: fjogeleit/http-request-action@v1 | |
| with: | |
| url: 'https://httpbin.org/get' | |
| method: 'GET' | |
| # 9. 将 Secret 写入文件(原步骤 7) | |
| - name: Write Secret to File | |
| run: echo "Secret in file-- ${{ secrets.DB_PASSWORD }}" > secret.txt | |
| # 10. 上传包含 Secret 的文件作为 Artifact(原步骤 8) | |
| - name: Upload Secret File Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: secret-artifact | |
| path: secret.txt | |
| # 11. Docker 构建(原步骤 12) | |
| - name: Build Docker Image | |
| run: | | |
| if [ -f Dockerfile ]; then | |
| docker build -t secret-tester:latest . | |
| else | |
| echo "No Dockerfile found. Skipping Docker build." | |
| fi | |
| # 12. 将构建的 Docker 镜像保存为 tar 包(原步骤 13) | |
| - name: Save Docker Image to Tarball | |
| run: | | |
| if docker image inspect secret-tester:latest > /dev/null 2>&1; then | |
| docker save secret-tester:latest -o secret-tester.tar | |
| else | |
| echo "Docker image not built. Skipping save." | |
| fi | |
| # 13. 上传 Docker 镜像 tar 包作为 Artifact(原步骤 14) | |
| - name: Upload Docker Image Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-image-artifact | |
| path: secret-tester.tar | |
| # 14. 推送 Docker 镜像到 GitHub Container Registry(原步骤 15) | |
| - name: Push Docker Image to GHCR | |
| env: | |
| CR_PAT: ${{ secrets.CR_PAT }} | |
| run: | | |
| echo $CR_PAT | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| docker images | |
| docker tag secret-tester:latest ghcr.io/${{ github.repository_owner }}/secret-tester:latest | |
| docker images | |
| docker push ghcr.io/${{ github.repository_owner }}/secret-tester:latest |