chore: redact _artifacts tokens

mweibel · mweibel · commit 13d1c1d85ec8 · 2026-04-07T09:48:57.000+02:00
diff --git a/.github/workflows/e2e-biweekly.yml b/.github/workflows/e2e-biweekly.yml
@@ -33,6 +33,12 @@ jobs:
           TAG: e2e-conformance-${{ github.sha }}
         run: make test-e2e-conformance
 
+      - name: Redact secrets from artifacts
+        if: always()
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+        run: hack/log/redact.sh || true
+
       - name: Upload test artifacts
         if: always()
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
diff --git a/.github/workflows/e2e-nightly.yml b/.github/workflows/e2e-nightly.yml
@@ -33,6 +33,12 @@ jobs:
           TAG: e2e-nightly-${{ github.sha }}
         run: make test-e2e-lifecycle
 
+      - name: Redact secrets from artifacts
+        if: always()
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+        run: hack/log/redact.sh || true
+
       - name: Upload test artifacts
         if: always()
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
diff --git a/.github/workflows/e2e-weekly.yml b/.github/workflows/e2e-weekly.yml
@@ -53,6 +53,12 @@ jobs:
             -H "Authorization: Bearer ${QUAY_E2E_TOKEN}" \
             "https://quay.io/api/v1/repository/cloudscalech/capcs-staging/tag/${TAG}"
 
+      - name: Redact secrets from artifacts
+        if: always()
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+        run: hack/log/redact.sh || true
+
       - name: Upload test artifacts
         if: always()
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
@@ -69,6 +69,12 @@ jobs:
             -H "Authorization: Bearer ${QUAY_E2E_TOKEN}" \
             "https://quay.io/api/v1/repository/cloudscalech/capcs-staging/tag/${TAG}"
 
+      - name: Redact secrets from artifacts
+        if: always()
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+        run: hack/log/redact.sh || true
+
       - name: Upload test artifacts
         if: always()
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
diff --git a/hack/log/redact.sh b/hack/log/redact.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Copyright 2026 cloudscale.ch.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+echo "================ REDACTING LOGS ================"
+# shellcheck disable=SC2207
+log_files=($(find "${ARTIFACTS:-${PWD}/_artifacts}" -type f))
+redact_vars=(
+    "${CLOUDSCALE_API_TOKEN:-}"
+    "$(echo -n "${CLOUDSCALE_API_TOKEN:-}" | base64 | tr -d '\n')"
+)
+
+for log_file in "${log_files[@]}"; do
+    for redact_var in "${redact_vars[@]}"; do
+        if [ -z "${redact_var}" ]; then
+            continue
+        fi
+        # LC_CTYPE=C and LANG=C will prevent "illegal byte sequence" error from sed
+        if [[ "$(uname)" == "Darwin" ]]; then
+            # sed on Mac OS requires an empty string for -i flag
+            LC_CTYPE=C LANG=C sed -i "" "s|${redact_var}|===REDACTED===|g" "${log_file}" &>/dev/null || true
+        else
+            LC_CTYPE=C LANG=C sed -i "s|${redact_var}|===REDACTED===|g" "${log_file}" &>/dev/null || true
+        fi
+    done
+done
+
+echo "All sensitive variables are redacted"
