enforce secrets input value as registered secret

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2025-06-28 23:36:41 +02:00 · 2025-04-07 11:57:29 +02:00 · 2025-04-07 11:57:29 +02:00 · 9a6e79724f
commit 9a6e79724f
parent 84ad562665
3 changed files with 32 additions and 17 deletions
--- a/src/context.ts
+++ b/src/context.ts
@ -69,7 +69,7 @@ export async function getInputs(): Promise<Inputs> {
    pull: core.getBooleanInput('pull'),
    push: core.getBooleanInput('push'),
    sbom: core.getInput('sbom'),
-    secrets: Util.getInputList('secrets', {ignoreComma: true}),
+    secrets: getSecretsInput(),
    'secret-envs': Util.getInputList('secret-envs'),
    'secret-files': Util.getInputList('secret-files', {ignoreComma: true}),
    'shm-size': core.getInput('shm-size'),
@ -296,3 +296,18 @@ async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st

  return args;
 }
+
+function getSecretsInput(): string[] {
+  const secrets = Util.getInputList('secrets', {ignoreComma: true});
+
+  for (const secret of secrets) {
+    try {
+      // enforce value as registered GitHub Secret
+      Build.parseSecretKvp(secret, true);
+    } catch (err) {
+      // ignore invalid secret
+    }
+  }
+
+  return secrets;
+}