Secure token showing in appveyor log

Taj Santiago's Avatar

Taj Santiago

10 Feb, 2020 11:07 PM

I have a pre-build step that looks like

```
IF NOT DEFINED APPVEYOR_PULL_REQUEST_NUMBER (
    ECHO "APPVEYOR_PULL_REQUEST_NUMBER is null, downloading credentials to %CREDENTIALS_DIRECTORY%"
    git clone https://%CREDENTIALS_GITHUB_TOKEN%@github.com/my-user/sdk-credentials.git %CREDENTIALS_DIRECTORY%
) ELSE (
    ECHO "APPVEYOR_PULL_REQUEST_NUMBER is %APPVEYOR_PULL_REQUEST_NUMBER% - skip cloning credentials"
)
```

The problem is in the log I see my github token
```
"APPVEYOR_PULL_REQUEST_NUMBER is null, downloading credentials to "C:\projects\sdk-credentials"" git clone https://[my-token]@github.ibm.com/my-user/sdk-credentials.git "C:\projects\sdk-credentials"
```

Is there any way to do this without the token appearing in the log?

  1. Support Staff 1 Posted by Feodor Fitsner on 11 Feb, 2020 12:22 AM

    Feodor Fitsner's Avatar

    Hi Taj,

    Yes, you can configure the token in credentials store, like in this PowerShell snippet:

    - ps: |
        git config --global credential.helper store
        Add-Content "$env:USERPROFILE\.git-credentials" "https://$($env:GH_PAT):x-oauth-basic@github.com`n"
    

    where GH_PAT is environment variable with your personal access token, marked as "secure".

    If you decide to re-work that example for batch files pay attention to the string with credentials ending with just LF (`n), not CRLF.

    Let me know how that worked.

  2. 2 Posted by Taj Santiago on 11 Feb, 2020 02:29 PM

    Taj Santiago's Avatar

    Thanks for the response Feodor,
    What should the .git-credentials file contain in this case?

    ```
    "https://$(<gh-token>):[email blocked]`n"
    ```

    I've set this up locally and I'm still prompted for credentials when I try to clone

  3. 3 Posted by Taj Santiago on 11 Feb, 2020 04:23 PM

    Taj Santiago's Avatar

    Thanks for the response Feodor,
    What should the .git-credentials file contain in this case?

    "https://$(<github-token>):x-oauth-basic@github.<my-company>.com`n"
    

    I've set this up locally and I'm still prompted for credentials when I try to clone

  4. 4 Posted by Taj Santiago on 11 Feb, 2020 06:00 PM

    Taj Santiago's Avatar

    I think this worked, thank you Feodor!

  5. 5 Posted by Taj Santiago on 11 Feb, 2020 06:36 PM

    Taj Santiago's Avatar

    I did run into another issue. I am trying to clone a repo holding shared credentials and I get

    APPVEYOR_PULL_REQUEST_NUMBER is null, cloning credentials.
    git : Cloning into 'C:\projects\sdk-credentials'...
    At line:4 char:3
    +   git clone https://$env:[email blocked]/ ...
    +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (Cloning into 'C...credentials'...:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError
    

    Any advice here?

  6. Support Staff 6 Posted by Feodor Fitsner on 11 Feb, 2020 06:41 PM

    Feodor Fitsner's Avatar

    Could you send your appveyor.yml please?

  7. 7 Posted by Taj Santiago on 11 Feb, 2020 06:58 PM

    Taj Santiago's Avatar

    Here is the version I am working on
    https://github.com/watson-developer-cloud/dotnet-standard-sdk/blob/...

    The main issue I was trying to solve is the error at the end of this build

    https://ci.appveyor.com/project/mediumTaj/dotnet-standard-sdk/build...

    Running semantic release results in a failed build. I thought I should move this from powershell to cmd to address the failure.

  8. Support Staff 8 Posted by Feodor Fitsner on 11 Feb, 2020 07:02 PM

    Feodor Fitsner's Avatar

    Yes, switching to "cmd" will do the trick. These "RemoteException" errors happen when a tool writes something to StdErr which is treated by PowerShell as exception.

  9. Support Staff 9 Posted by Feodor Fitsner on 11 Feb, 2020 07:02 PM

    Feodor Fitsner's Avatar

    With git clone adding -q (quiet) arg could work as well.

  10. 10 Posted by Taj Santiago on 11 Feb, 2020 07:15 PM

    Taj Santiago's Avatar

    Thanks Feodor, I'll try adding -q to both the git clone and the npx call that was giving me the issue!

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac