Skip to content

Commit 391c209

Browse files
gfxgfx
committed
mask passwords using setSecret
1 parent b51c44c commit 391c209

File tree

1 file changed

+9
-13
lines changed

1 file changed

+9
-13
lines changed

src/main.ts

Lines changed: 9 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,7 @@ import * as os from "os";
99
interface CommandConfig {
1010
command: string;
1111
args: string[];
12-
sanitizedArgs: string[]; // args with password hidden
13-
env?: Record<string, string>;
12+
env: Record<string, string>;
1413
}
1514

1615
async function downloadSqldef(command: string, version: string): Promise<string> {
@@ -72,7 +71,6 @@ function getCommandConfig(command: string): CommandConfig {
7271
const config: CommandConfig = {
7372
command: "",
7473
args: [],
75-
sanitizedArgs: [],
7674
env: {},
7775
};
7876

@@ -89,10 +87,11 @@ function getCommandConfig(command: string): CommandConfig {
8987

9088
config.args.push("-h", host, "-p", port);
9189
if (user) config.args.push("-U", user);
90+
if (password) {
91+
config.env.PGPASSWORD = password;
92+
core.setSecret(password);
93+
}
9294
if (database) config.args.push(database);
93-
if (password) config.env = { ...config.env, PGPASSWORD: password };
94-
95-
config.sanitizedArgs = [...config.args];
9695
break;
9796
}
9897
case "mysqldef": {
@@ -106,17 +105,16 @@ function getCommandConfig(command: string): CommandConfig {
106105
if (user) config.args.push("-u", user);
107106
// Use environment variable for password (works with empty passwords)
108107
// This avoids command line parsing issues with -p flag
109-
if (password != null) {
110-
config.env = { ...config.env, MYSQL_PWD: password };
108+
if (password) {
109+
config.env.MYSQL_PWD = password;
110+
core.setSecret(password);
111111
}
112112
if (database) config.args.push(database);
113-
config.sanitizedArgs = [...config.args];
114113
break;
115114
}
116115
case "sqlite3def": {
117116
const database = core.getInput("sqlite-database");
118117
if (database) config.args.push(database);
119-
config.sanitizedArgs = [...config.args];
120118
break;
121119
}
122120
case "mssqldef": {
@@ -132,9 +130,9 @@ function getCommandConfig(command: string): CommandConfig {
132130
// Add -P flag for password if provided
133131
if (password) {
134132
config.args.push(`-P${password}`);
133+
core.setSecret(password);
135134
}
136135
if (database) config.args.push(database);
137-
config.sanitizedArgs = config.args.map((arg) => (arg === `-P${password}` ? "-P***" : arg));
138136
break;
139137
}
140138
default:
@@ -193,8 +191,6 @@ async function runSqldef(binaryPath: string, config: CommandConfig): Promise<str
193191
}
194192
Object.assign(execEnv, config.env);
195193

196-
core.debug(`Running command: ${binaryPath} ${config.sanitizedArgs.join(" ")}`);
197-
198194
const exitCode = await exec.exec(binaryPath, config.args, {
199195
env: execEnv,
200196
silent: false,

0 commit comments

Comments
 (0)