fixup! .github/actions/akv-secret: add action to get secrets

Use a buffer rather than a string when handling the output from the `az`
command. Handling of binary data (that was base64 encoded) requires that
we use a buffer and not a string, or else we will end up writing invalid
data to files/output variables.

Introduce several new helper functions for working with buffers,
including trimming the EOL bytes (CR, LF), and fix up some of the
output functions to correctly validate the value passed - it must be
something printable (UTF-8-ish).

Finally ensure that we correctly mask multi-line secret values by
emitting a `::add-mask` command for each line.

Co-authored-by: Johannes Schindelin <[email protected]>
Signed-off-by: Matthew John Cheetham <[email protected]>

Author: dscho

.github/actions/akv-secret/index.js

@@ -2,6 +2,7 @@ const { spawnSync } = require('child_process');
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
+const { isUtf8 } = require("buffer")
 
 // Note that we are not using the `@actions/core` package as it is not available
 // without either committing node_modules/ to the repository, or using something
@@ -15,6 +16,35 @@ const escapeData = (s) => {
     .replace(/\n/g, '%0A')
 }
 
+const stringify = (value) => {
+  if (typeof value === 'string') return value;
+  if (Buffer.isBuffer(value) && isUtf8(value)) return value.toString('utf-8');
+  return undefined;
+}
+
+const trimEOL = (buf) => {
+  let l = buf.length
+  if (l > 0 && buf[l - 1] === 0x0a) {
+    l -= l > 1 && buf[l - 2] === 0x0d ? 2 : 1
+  }
+  return buf.slice(0, l)
+}
+
+const writeBufToFile = (buf, file) => {
+  out = fs.createWriteStream(file)
+  out.write(buf)
+  out.end()
+}
+
+const logInfo = (message) => {
+  process.stdout.write(`${message}${os.EOL}`);
+}
+
+const setFailed = (error) => {
+  process.stdout.write(`::error::${escapeData(error.message)}${os.EOL}`);
+  process.exitCode = 1;
+}
+
 const writeCommand = (file, name, value) => {
   // Unique delimiter to avoid conflicts with actual values
   let delim;
@@ -29,24 +59,37 @@ const writeCommand = (file, name, value) => {
 }
 
 const setSecret = (value) => {
-  process.stdout.write(`::add-mask::${escapeData(value)}${os.EOL}`);
+  value = stringify(value);
+
+  // Masking a secret that is not a valid UTF-8 string or buffer is not useful
+  if (value === undefined) return;
+
+  process.stdout.write(
+    value
+      .split(/\r?\n/g)
+      .map(
+        value => `::add-mask::${escapeData(value)}${os.EOL}`
+      )
+      .join('')
+  );
 }
 
 const setOutput = (name, value) => {
+  value = stringify(value);
+  if (value === undefined) {
+    throw new Error(`Output value '${name}' is not a valid UTF-8 string or buffer`);
+  }
+
   writeCommand(process.env.GITHUB_OUTPUT, name, value);
 }
 
 const exportVariable = (name, value) => {
-  writeCommand(process.env.GITHUB_ENV, name, value);
-}
-
-const logInfo = (message) => {
-  process.stdout.write(`${message}${os.EOL}`);
-}
+  value = stringify(value);
+  if (value === undefined) {
+    throw new Error(`Environment variable '${name}' is not a valid UTF-8 string or buffer`);
+  }
 
-const setFailed = (error) => {
-  process.stdout.write(`::error::${escapeData(error.message)}${os.EOL}`);
-  process.exitCode = 1;
+  writeCommand(process.env.GITHUB_ENV, name, value);
 }
 
 (async () => {
@@ -68,9 +111,7 @@ const setFailed = (error) => {
 
   // Fetch secrets from Azure Key Vault
   for (const { input: secretName, encoding, output } of secretMappings) {
-    let secretValue = '';
-
-    const az = spawnSync('az',
+    let az = spawnSync('az',
       [
         'keyvault',
         'secret',
@@ -93,10 +134,12 @@ const setFailed = (error) => {
     if (az.error) throw new Error(az.error, { cause: az.error });
     if (az.status !== 0) throw new Error(`az failed with status ${az.status}`);
 
-    secretValue = az.stdout.toString('utf-8').trim();
+    // az keyvault secret show --output tsv returns a buffer with trailing \n
+    // (or \r\n on Windows), so we need to trim it specifically.
+    let secretBuf = trimEOL(az.stdout);
 
     // Mask the raw secret value in logs
-    setSecret(secretValue);
+    setSecret(secretBuf);
 
     // Handle encoded values if specified
     // Sadly we cannot use the `--encoding` parameter of the `az keyvault
@@ -106,31 +149,46 @@ const setFailed = (error) => {
     if (encoding) {
       switch (encoding.toLowerCase()) {
         case 'base64':
-          secretValue = Buffer.from(secretValue, 'base64').toString();
+          secretBuf = Buffer.from(secretBuf.toString('utf-8'), 'base64');
+          break;
+        case 'ascii':
+        case 'utf8':
+        case 'utf-8':
+          // No need to decode the existing buffer from the az command
           break;
         default:
-          // No decoding needed
-      }
+            throw new Error(`Unsupported encoding: ${encoding}`);
+        }
 
-      setSecret(secretValue); // Mask the decoded value as well
+      // Mask the decoded value
+      setSecret(secretBuf);
     }
 
-    if (output.startsWith('$env:')) {
-      // Environment variable
-      const envVarName = output.replace('$env:', '').trim();
-      exportVariable(envVarName, secretValue);
-      logInfo(`Secret set as environment variable: ${envVarName}`);
-    } else if (output.startsWith('$output:')) {
-      // GitHub Actions output variable
-      const outputName = output.replace('$output:', '').trim();
-      setOutput(outputName, secretValue);
-      logInfo(`Secret set as output variable: ${outputName}`);
-    } else {
-      // File output
-      const filePath = output.trim();
-      fs.mkdirSync(path.dirname(filePath), { recursive: true });
-      fs.writeFileSync(filePath, secretValue);
-      logInfo(`Secret written to file: ${filePath}`);
+    const outputType = output.startsWith('$env:')
+    ? 'env'
+    : output.startsWith('$output:')
+      ? 'output'
+      : 'file';
+
+    switch (outputType) {
+      case 'env':
+        const varName = output.replace('$env:', '').trim();
+        exportVariable(varName, secretBuf);
+        logInfo(`Secret set as environment variable: ${varName}`);
+        break;
+
+      case 'output':
+        const outputName = output.replace('$output:', '').trim();
+        setOutput(outputName, secretBuf);
+        logInfo(`Secret set as output variable: ${outputName}`);
+        break;
+
+      case 'file':
+        const filePath = output.trim();
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        writeBufToFile(secretBuf, filePath);
+        logInfo(`Secret written to file: ${filePath}`);
+        break;
     }
   }
 })().catch(setFailed);