Do not call setSecret on any unmasked secrets (#17)

* Do not call `setSecret` on any unmasked secrets Right now, every value that's pulled from Doppler is marked as a secret in GitHub Actions, which means any workflow using this action ends up with a ton of unnecessary redactions. For example, if you have the following Doppler values: ``` NODE_ENV = test WORKER_COUNT = 3 ``` Then *every* output that includes `test` and the number 3 gets redacted, making the output rather difficult to read. Now I'm unable to tell the real difference between Listing and Downloading secrets, but from what I can tell from the [api docs](https://docs.doppler.com/reference/secrets-list) only List Secrets includes the visibility information, so I had to change how secrets are pulled. Fixes #16 * Add some debugging * Provide fallback to raw secret * Need to return the nested `secrets` object * Clear out the debugging lines * Remove `raw` fallback, that's not necessary
DopplerHQ · Mar 21, 2024 · bc453b9 · bc453b9
1 parent 584cb6c
commit bc453b9
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/doppler.js b/doppler.js
@@ -6,15 +6,15 @@ import { VERSION } from "./meta.js";
  * @param {string} dopplerToken
  * @param {string | null} [dopplerProject]
  * @param {string | null} [dopplerConfig]
- * @returns {() => Promise<Record<string, string>>}
+ * @returns {() => Promise<Record<string, Record>>}
  */
 async function fetch(dopplerToken, dopplerProject, dopplerConfig) {
   return new Promise(function (resolve, reject) {
     const encodedAuthData = Buffer.from(`${dopplerToken}:`).toString("base64");
     const authHeader = `Basic ${encodedAuthData}`;
     const userAgent = `secrets-fetch-github-action/${VERSION}`;
 
-    const url = new URL("https://api.doppler.com/v3/configs/config/secrets/download?format=json");
+    const url = new URL("https://api.doppler.com/v3/configs/config/secrets");
     if (dopplerProject && dopplerConfig) {
       url.searchParams.append("project", dopplerProject);
       url.searchParams.append("config", dopplerConfig);
@@ -27,14 +27,15 @@ async function fetch(dopplerToken, dopplerProject, dopplerConfig) {
           headers: {
             Authorization: authHeader,
             "user-agent": userAgent,
+            "accepts": "application/json",
           },
         },
         (res) => {
           let payload = "";
           res.on("data", (data) => (payload += data));
           res.on("end", () => {
             if (res.statusCode === 200) {
-              resolve(JSON.parse(payload));
+              resolve(JSON.parse(payload).secrets);
             } else {
               try {
                 const error = JSON.parse(payload).messages.join(" ");

diff --git a/index.js b/index.js
@@ -27,9 +27,11 @@ if (IS_SA_TOKEN && !(DOPPLER_PROJECT && DOPPLER_CONFIG)) {
 
 const secrets = await fetch(DOPPLER_TOKEN, DOPPLER_PROJECT, DOPPLER_CONFIG);
 
-for (const [key, value] of Object.entries(secrets)) {
+for (const [key, secret] of Object.entries(secrets)) {
+  const value = secret.computed || "";
+
   core.setOutput(key, value);
-  if (!DOPPLER_META.includes(key)) {
+  if (!DOPPLER_META.includes(key) && secret.computedVisibility !== "unmasked") {
     core.setSecret(value);
   }