Script deployment is too risky even with secured variables.

jannickboese's Avatar

jannickboese

21 Jan, 2016 02:19 AM

I have setup a F# project using project scaffold and it comes with very nice and simple Fake build files / deployment script, meaning I just want to deploy using scripts and not any fancy tools.

However because all build files are public that means that if i just once make a mistake then it prints out all the sensitive data.
Meaning appvoyer is basically useless to me at this point.

As I see it this can be solved doing any of the following:

* Hide inline deployment logs
* Hide build logs
* Allow me to make my public github project, private on appvoyer (remain public on github)
* Add a script environment provider
* Hide sensitive data in logs. (could be done quick and dirty using some matching)

  1. Support Staff 1 Posted by Feodor Fitsner on 21 Jan, 2016 06:40 PM

    Feodor Fitsner's Avatar

    Just put sensitive information into secured variables and then use them in your scripts.

    In batch:

    mycommand %mysecurevar%
    

    In PowerShell:

    mycommand $env:mysecurevar
    

    It's pretty reliable - commands are shown "as is", variables are not shown in the build log and secure variables are not set during PR builds - unless, yes, you do a mistake and just output a variable with something like echo %mysecurevar%.

  2. 2 Posted by jannickboese on 21 Jan, 2016 07:19 PM

    jannickboese's Avatar

    Not really if I call something like git it will glad print both username and password.

  3. 3 Posted by jannickboese on 21 Jan, 2016 07:23 PM

    jannickboese's Avatar

    The problem is unless you are very careful and even then just a single slip up and your passwords are displayed in the log forever requiring you to delete your project. Thats why when it comes to sensitive information I want to make absolutely sure nothing can go wrong.

    Also consider it might not be the same people maintaining the build setup, I don't understand why this is even up for debate, this is clearly a major problem. Especially if you work in a larger company.

  4. Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:03 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac