From 9a6e79724f631c8c8c6d64e1fbe5504736893321 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Mon, 7 Apr 2025 11:57:29 +0200
Subject: [PATCH] enforce secrets input value as registered secret

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 package.json   |  2 +-
 src/context.ts | 17 ++++++++++++++++-
 yarn.lock      | 30 +++++++++++++++---------------
 3 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/package.json b/package.json
index a39d87a..4b52139 100644
--- a/package.json
+++ b/package.json
@@ -27,7 +27,7 @@
   "packageManager": "yarn@3.6.3",
   "dependencies": {
     "@actions/core": "^1.11.1",
-    "@docker/actions-toolkit": "0.56.0",
+    "@docker/actions-toolkit": "https://github.com/crazy-max/docker-actions-toolkit#secret-enforce-redact-test",
     "handlebars": "^4.7.7"
   },
   "devDependencies": {
diff --git a/src/context.ts b/src/context.ts
index 0a110a2..fe5c321 100644
--- a/src/context.ts
+++ b/src/context.ts
@@ -69,7 +69,7 @@ export async function getInputs(): Promise<Inputs> {
     pull: core.getBooleanInput('pull'),
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
-    secrets: Util.getInputList('secrets', {ignoreComma: true}),
+    secrets: getSecretsInput(),
     'secret-envs': Util.getInputList('secret-envs'),
     'secret-files': Util.getInputList('secret-files', {ignoreComma: true}),
     'shm-size': core.getInput('shm-size'),
@@ -296,3 +296,18 @@ async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
 
   return args;
 }
+
+function getSecretsInput(): string[] {
+  const secrets = Util.getInputList('secrets', {ignoreComma: true});
+
+  for (const secret of secrets) {
+    try {
+      // enforce value as registered GitHub Secret
+      Build.parseSecretKvp(secret, true);
+    } catch (err) {
+      // ignore invalid secret
+    }
+  }
+
+  return secrets;
+}
diff --git a/yarn.lock b/yarn.lock
index efc5fdb..e70d338 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -12,9 +12,9 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@actions/artifact@npm:^2.2.2":
-  version: 2.2.2
-  resolution: "@actions/artifact@npm:2.2.2"
+"@actions/artifact@npm:^2.3.2":
+  version: 2.3.2
+  resolution: "@actions/artifact@npm:2.3.2"
   dependencies:
     "@actions/core": ^1.10.0
     "@actions/github": ^5.1.1
@@ -28,13 +28,13 @@ __metadata:
     archiver: ^7.0.1
     jwt-decode: ^3.1.2
     unzip-stream: ^0.3.1
-  checksum: 1501b3d0ceb671f370786ccf70014de9586c5a78c95d235248fc16c73bf928f8de2aa932a679258f6d9bc2f2e570648d830551af9f063298f05d19f3330b33bc
+  checksum: 78ee41b43800accb2f3527e1733217c43d53693e7f96ce2470b16890fb84f5c2ebaaa6048ccdb6cfe188b54c02779ec99623c6932558e757f6829cfde203cf2c
   languageName: node
   linkType: hard
 
-"@actions/cache@npm:^4.0.2":
-  version: 4.0.2
-  resolution: "@actions/cache@npm:4.0.2"
+"@actions/cache@npm:^4.0.3":
+  version: 4.0.3
+  resolution: "@actions/cache@npm:4.0.3"
   dependencies:
     "@actions/core": ^1.11.1
     "@actions/exec": ^1.0.1
@@ -46,7 +46,7 @@ __metadata:
     "@azure/storage-blob": ^12.13.0
     "@protobuf-ts/plugin": ^2.9.4
     semver: ^6.3.1
-  checksum: 208f11238a26194f331b329bb99d50a87c1a3ccef1dbae181e5c142b3faf41715203e0c5cbc491519d3d97540a68fbd418c25fb6e16caabf76248c40867c02b4
+  checksum: ee9c2a21a70bd3f35c63f302af478e23f135c26deb77ea2e4eed29c62766a4b201fc7435651c0d56fa504c02d203107e3bdfda1dba18a3ee09338e1dfc3f2fe8
   languageName: node
   linkType: hard
 
@@ -1072,12 +1072,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@docker/actions-toolkit@npm:0.56.0":
-  version: 0.56.0
-  resolution: "@docker/actions-toolkit@npm:0.56.0"
+"@docker/actions-toolkit@https://github.com/crazy-max/docker-actions-toolkit#secret-enforce-redact-test":
+  version: 0.0.0+unknown
+  resolution: "@docker/actions-toolkit@https://github.com/crazy-max/docker-actions-toolkit.git#commit=222f5b3354ec41cd22ed7c0f2f9e510bd90ccc3c"
   dependencies:
-    "@actions/artifact": ^2.2.2
-    "@actions/cache": ^4.0.2
+    "@actions/artifact": ^2.3.2
+    "@actions/cache": ^4.0.3
     "@actions/core": ^1.11.1
     "@actions/exec": ^1.1.1
     "@actions/github": ^6.0.0
@@ -1097,7 +1097,7 @@ __metadata:
     semver: ^7.7.1
     tar-stream: ^3.1.7
     tmp: ^0.2.3
-  checksum: 0f1b569f8bb206399f8c26e566c78e30e4a311bbd64486016e7fa1d35fbbb4c94d4f55afa6b711afa4b41c5835b40b038f48c3d1bfdfdc6f7c6680973e922d9e
+  checksum: d1b0b8f868d838f4f02a172c2dc34ae2855a6047efba739e68b693e129480b295b4059ba5802abfe9d3b1d62e794fccc408a2961720e9ff13b8b9db6c89bf085
   languageName: node
   linkType: hard
 
@@ -3143,7 +3143,7 @@ __metadata:
   resolution: "docker-build-push@workspace:."
   dependencies:
     "@actions/core": ^1.11.1
-    "@docker/actions-toolkit": 0.56.0
+    "@docker/actions-toolkit": "https://github.com/crazy-max/docker-actions-toolkit#secret-enforce-redact-test"
     "@types/node": ^20.12.12
     "@typescript-eslint/eslint-plugin": ^7.9.0
     "@typescript-eslint/parser": ^7.9.0