diff --git a/.github/workflows/license_npm.yml b/.github/workflows/license_npm.yml index 91c7fb4..daa97a5 100644 --- a/.github/workflows/license_npm.yml +++ b/.github/workflows/license_npm.yml @@ -13,6 +13,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: license-check: runs-on: ubuntu-latest diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml index d126c62..a09c445 100644 --- a/.github/workflows/npm.yml +++ b/.github/workflows/npm.yml @@ -7,6 +7,9 @@ on: - master pull_request: +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/lib/installers/atl.js b/lib/installers/atl.js index 84b90b7..dfe46fb 100644 --- a/lib/installers/atl.js +++ b/lib/installers/atl.js @@ -85,7 +85,7 @@ const configurePrivateRepoAccess = () => { stdio: 'pipe', }).trim(); - if (!gitConfig.includes('https://github.com/')) { + if (gitConfig !== 'https://github.com/') { console.log(chalk.gray('Configuring git to use SSH for GitHub...')); execSync('git config --global url."git@github.com:".insteadOf "https://github.com/"', { stdio: 'pipe', diff --git a/lib/installers/discord.js b/lib/installers/discord.js index 71f9695..5a97a1a 100644 --- a/lib/installers/discord.js +++ b/lib/installers/discord.js @@ -84,8 +84,7 @@ const configurePrivateRepoAccess = () => { } ); - const needsConfig = - gitResult.status !== 0 || !gitResult.stdout.trim().includes('https://github.com/'); + const needsConfig = gitResult.status !== 0 || gitResult.stdout.trim() !== 'https://github.com/'; if (needsConfig) { console.log(chalk.gray('Configuring git to use SSH for GitHub...')); diff --git a/lib/installers/esq.js b/lib/installers/esq.js index 649995e..6105280 100644 --- a/lib/installers/esq.js +++ b/lib/installers/esq.js @@ -95,8 +95,7 @@ const configurePrivateRepoAccess = () => { } ); - const needsConfig = - gitResult.status !== 0 || !gitResult.stdout.trim().includes('https://github.com/'); + const needsConfig = gitResult.status !== 0 || gitResult.stdout.trim() !== 'https://github.com/'; if (needsConfig) { console.log(chalk.gray('Configuring git to use SSH for GitHub...')); diff --git a/lib/installers/grafanactl.js b/lib/installers/grafanactl.js index 237110f..6a924d0 100644 --- a/lib/installers/grafanactl.js +++ b/lib/installers/grafanactl.js @@ -6,13 +6,30 @@ import path from 'path'; import { execSync, spawnSync } from 'child_process'; import { commandExists, getPlatformInfo } from '../utils/platform.js'; +// Keys whose following arg is a secret (e.g. contexts.X.grafana.password). +const SENSITIVE_KEY_PATTERN = /\.(token|password|secret|api[_-]?key)$/i; + +/** + * Redact values in args that follow a sensitive key so secrets don't leak + * into error messages or logs. + */ +const redactSensitiveArgs = (args) => + args.map((arg, i) => { + const prev = args[i - 1]; + if (typeof prev === 'string' && SENSITIVE_KEY_PATTERN.test(prev)) { + return ''; + } + return arg; + }); + /** * Run a grafanactl config command, throwing on failure */ const runConfig = (binary, args) => { const result = spawnSync(binary, args, { stdio: 'pipe', encoding: 'utf8' }); if (result.status !== 0) { - throw new Error(`grafanactl ${args.join(' ')} failed: ${result.stderr || 'unknown error'}`); + const safeArgs = redactSensitiveArgs(args); + throw new Error(`grafanactl ${safeArgs.join(' ')} failed: ${result.stderr || 'unknown error'}`); } return result; }; diff --git a/lib/installers/n8n.js b/lib/installers/n8n.js index 5486100..75b5a0f 100644 --- a/lib/installers/n8n.js +++ b/lib/installers/n8n.js @@ -97,7 +97,7 @@ const configurePrivateRepoAccess = () => { stdio: 'pipe', }).trim(); - if (!gitConfig.includes('https://github.com/')) { + if (gitConfig !== 'https://github.com/') { console.log(chalk.gray('Configuring git to use SSH for GitHub...')); execSync('git config --global url."git@github.com:".insteadOf "https://github.com/"', { stdio: 'pipe',