check multiline secrets

microsoft · Dec 1, 2023 · 33c575a · 33c575a
1 parent 12f04ef
commit 33c575a
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 4 deletions.
diff --git a/Actions/ReadSecrets/README.md b/Actions/ReadSecrets/README.md
@@ -18,7 +18,8 @@ Secrets, which name is preceded by an asterisk (*) are encrypted and Base64 enco
 | shell | | The shell (powershell or pwsh) in which the PowerShell script in this action should run | powershell |
 | parentTelemetryScopeJson | | Specifies the parent telemetry scope for the telemetry signal | {} |
 | getSecrets | Yes | Comma-separated list of secrets to get (add appDependencyProbingPathsSecrets to request secrets needed for resolving dependencies in AppDependencyProbingPaths, add TokenForPush in order to request a token to use for pull requests and commits). Secrets preceded by an asterisk are returned encrypted | |
-| useGhTokenWorkflowForPush | false | Determines whether you want to use the GhTokenWorkflow secret for TokenForPush |
+| useGhTokenWorkflowForPush | false | Determines whether you want to use the GhTokenWorkflow secret for TokenForPush | false |
+| checkSecretsForCommonMistakes | false | Determines whether you want to check all GitHub secrets for Common mistakes (including newlines), which can lead to problems down the road | false |
 
 ## OUTPUT
 

diff --git a/Actions/ReadSecrets/ReadSecrets.ps1 b/Actions/ReadSecrets/ReadSecrets.ps1
@@ -4,7 +4,9 @@
     [Parameter(HelpMessage = "Comma-separated list of Secrets to get. Secrets preceded by an asterisk are returned encrypted", Mandatory = $true)]
     [string] $getSecrets = "",
     [Parameter(HelpMessage = "Determines whether you want to use the GhTokenWorkflow secret for TokenForPush", Mandatory = $false)]
-    [string] $useGhTokenWorkflowForPush = 'false'
+    [string] $useGhTokenWorkflowForPush = 'false',
+    [Parameter(HelpMessage = "Determines whether you want to check all GitHub secrets for Common mistakes (including newlines), which can lead to problems down the road", Mandatory = $false)]
+    [bool] $checkSecretsForCommonMistakes
 )
 
 $buildMutexName = "AL-Go-ReadSecrets"
@@ -24,6 +26,10 @@ try {
     . (Join-Path -Path $PSScriptRoot -ChildPath "..\AL-Go-Helper.ps1" -Resolve)
     Import-Module (Join-Path $PSScriptRoot ".\ReadSecretsHelper.psm1") -ArgumentList $gitHubSecrets
 
+    if ($checkSecretsForCommonMistakes) {
+        CheckSecretsForCommonMistakes
+    }
+
     $outSecrets = [ordered]@{}
     $settings = $env:Settings | ConvertFrom-Json | ConvertTo-HashTable
     $keyVaultCredentials = GetKeyVaultCredentials

diff --git a/Actions/ReadSecrets/ReadSecretsHelper.psm1 b/Actions/ReadSecrets/ReadSecretsHelper.psm1
@@ -15,7 +15,7 @@ $script:escchars = @(' ','!','\"','#','$','%','\u0026','\u0027','(',')','*','+',
 # This can cause problems if these values are used as elsewhere - f.ex. if a line contains a { or a } character, then no JSON string can be parsed from one job to another
 # This function checks for multi-line secrets displays warnings if multi-line secrets with lines containing short strings
 #
-function CheckSecrets {
+function CheckSecretsForCommonMistakes {
     foreach($secretName in $script:gitHubSecrets.PSObject.Properties.Name) {
         $secretValue = $script:gitHubSecrets."$secretName"
         if ($secretValue.contains("`n")) {

diff --git a/Actions/ReadSecrets/action.yaml b/Actions/ReadSecrets/action.yaml
@@ -15,6 +15,10 @@ inputs:
     description: Determines whether you want to use the GhTokenWorkflow secret for TokenForPush
     required: false
     default: 'false'
+  CheckSecretsForCommonMistakes:
+    description: Determines whether you want to check all GitHub secrets for Common mistakes (including newlines), which can lead to problems down the road
+    required: false
+    default: 'false'
 outputs:
   Secrets:
     description: All requested secrets in compressed JSON format
@@ -31,10 +35,11 @@ runs:
       env:
         _getSecrets: ${{ inputs.getSecrets }}
         _useGhTokenWorkflowForPush: ${{ inputs.useGhTokenWorkflowForPush }}
+        _checkSecretsForCommonMistakes: ${{ inputs.CheckSecretsForCommonMistakes }}
       run: |
         $errorActionPreference = "Stop"; $ProgressPreference = "SilentlyContinue"; Set-StrictMode -Version 2.0
         try {
-          ${{ github.action_path }}/ReadSecrets.ps1 -gitHubSecrets '${{ inputs.gitHubSecrets }}' -getSecrets $ENV:_getSecrets -useGhTokenWorkflowForPush $ENV:_useGhTokenWorkflowForPush
+          ${{ github.action_path }}/ReadSecrets.ps1 -gitHubSecrets '${{ inputs.gitHubSecrets }}' -getSecrets $ENV:_getSecrets -useGhTokenWorkflowForPush $ENV:_useGhTokenWorkflowForPush -CheckSecretsForCommonMistakes ($ENV:_checkSecretsForCommonMistakes -eq 'true')
         }
         catch {
           Write-Host "::ERROR::Unexpected error when running action. Error Message: $($_.Exception.Message.Replace("`r",'').Replace("`n",' ')), StackTrace: $($_.ScriptStackTrace.Replace("`r",'').Replace("`n",' <- '))";

diff --git a/Templates/AppSource App/.github/workflows/CICD.yaml b/Templates/AppSource App/.github/workflows/CICD.yaml
@@ -90,6 +90,7 @@ jobs:
           shell: powershell
           gitHubSecrets: ${{ toJson(secrets) }}
           getSecrets: ${{ steps.DetermineDeliveryTargetSecrets.outputs.ContextSecrets }}
+          checkSecretsForCommonMistakes: 'true'
 
       - name: Determine Delivery Targets
         id: DetermineDeliveryTargets

diff --git a/Templates/Per Tenant Extension/.github/workflows/CICD.yaml b/Templates/Per Tenant Extension/.github/workflows/CICD.yaml
@@ -90,6 +90,7 @@ jobs:
           shell: powershell
           gitHubSecrets: ${{ toJson(secrets) }}
           getSecrets: ${{ steps.DetermineDeliveryTargetSecrets.outputs.ContextSecrets }}
+          checkSecretsForCommonMistakes: 'true'
 
       - name: Determine Delivery Targets
         id: DetermineDeliveryTargets