Skip to content

fix: hide new include-ims-annotation secrets#83

Merged
moritzraho merged 3 commits intomainfrom
fix/no-credential-print
Feb 23, 2026
Merged

fix: hide new include-ims-annotation secrets#83
moritzraho merged 3 commits intomainfrom
fix/no-credential-print

Conversation

@moritzraho
Copy link
Member

@moritzraho moritzraho commented Feb 9, 2026

Description

relates to adobe/aio-lib-runtime#224

Related Issue

Motivation and Context

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • I have signed the Adobe Open Source CLA.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@codecov
Copy link

codecov bot commented Feb 9, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

pru55e11
pru55e11 requested changes Feb 19, 2026
View reviewed changes
Copy link

@pru55e11 pru55e11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue found by cursor:

One issue with the test: the assertion not.toEqual(expect.stringContaining('secret')) will fail when run in generated projects. After hiding, the output JSON still contains the key name client_secret, which includes the substring secret. So stringContaining('secret') matches and the not assertion fails.

This passes CI here because the template test isn't executed in this repo, but developers will hit it when they run tests in their generated apps.

Suggested fix:

expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('"secret"'))

(Checking for the quoted value "secret" instead of the bare substring secret avoids matching the key name client_secret.)

Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the common action-template logging utility to avoid leaking IMS S2S credentials (specifically client_secret) when action input params are stringified for debug logging.

Changes:

  • Redacts params.__ims_oauth_s2s.client_secret in stringParameters.
  • Adds a unit test asserting IMS credential redaction.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
lib/common-templates/utils.js Redacts client_secret when serializing params for logs.
lib/common-templates/utils.test.js Adds coverage for IMS credential redaction in stringParameters.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@moritzraho moritzraho merged commit 2330f0e into main Feb 23, 2026
11 checks passed
@moritzraho moritzraho deleted the fix/no-credential-print branch February 23, 2026 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shazron shazron shazron approved these changes

@purplecabbage purplecabbage purplecabbage approved these changes

@pru55e11 pru55e11 pru55e11 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@moritzraho @shazron @purplecabbage @pru55e11