step-security / wait-for-secrets Goto Github PK

@arjundashrath, please take this up.

I have added the TODO statements in the code. The API to be called and expected response is also added in the comments.

If you have any questions, please let me know.

We should use id-token to authenticate the job to our API.

Use getIDToken from actions toolkit for this. Send the token in the Authorization header.

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#updating-your-actions-for-oidc

I will create a separate issue in the API to validate the token and get the job, workflow, and repo details from the id-token.

• npm publish with OTP
• Use of user tokens to deploy to cloud

Hello, thanks for this GitHub Action package, I use it in a few of my open source projects, however I'm getting a warning from GitHub Action that Node16 are deprecated and eventually migrated (or fail). Below is the warning I'm currently receiving after an NPM release using this action

[deploy-npm-latest](https://github.com/lerna-lite/lerna-lite/actions/runs/8530155212/job/23367421675)
Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: step-security/wait-for-secrets@v1. 

For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/

Currently secrets are not masked when written to log.

Use core.setSecret to inform GitHub Actions that the value is a secret.
https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-setting-a-value

It should be something like
https://app.stepsecurity.io/secrets/jsx-eslint/eslint-plugin-react/3498968497
instead of
https://app.stepsecurity.io/secrets?owner=jsx-eslint&repo=eslint-plugin-react&runId=3498968497

Currently we print the URL every 10 seconds:

You can see this here:
https://github.com/step-security/secure-workflows/actions/runs/3050195152/jobs/4917035695#step:7:12

The change is to only print the URL once and then print a . every 10 seconds. This will reduce size of the build log.
In addition,

1. The first time the URL is printed, it should be printed before the wait statement.
   

   wait-for-secrets/src/index.ts

   Line 62 in cca2533

   await sleep(9000);

2. It should be printed in green color, similar to how we print for harden runner. The code for that is here.

We need to think more about how to do this, but it would be interesting to provide the GitHub token of the user using the browser and publish a release or call GitHub API using it.

For example, currently, the wait-for-secrets Action is released using a PAT. PAT is created manually and entered during the workflow. After the workflow is completed, the PAT is deleted.

It would be nice if this process could be made simpler.

wait-for-secrets times out after 10 minutes if no secrets are provided. We should make this time-out interval configurable using an action input.

Checkout the feature here: https://github.com/8398a7/action-slack

The goal is to allow setting a SLACK_WEBHOOK_URL as an action input. Users of this action can then specify this value to send the url to Slack.

After the secrets are entered, the UI shows a blank page.

We need to update the page to show that secrets have already been entered and show some basic details, and link back to the workflow run.

Ideally, the secrets should be encrypted end-to-end so the backend API cannot access them. Only the GitHub Action should be able to decrypt the secrets.