`goreleaser release --debug` shows secrets

Summary

Hello 👋

goreleaser release --debug log shows secret values used in the in the custom publisher.

How to reproduce the issue:

Define a custom publisher as the one below. Make sure to provide a custom script to the cmd field and to provide a secret to env

#.goreleaser.yml 
publishers:
  - name: my-publisher
  # IDs of the artifacts we want to sign
    ids:
      - linux_archives
      - linux_package
    cmd: "./build/package/linux_notarize.sh"
    env:
      - VERSION={{ .Version }}
      - SECRET_1={{.Env.SECRET_1}}
      - SECRET_2={{.Env.SECRET_2}}

run goreleaser release --debug

You should see your secret value in the gorelease log. The log shows also the GITHUB_TOKEN

Example:

running                                        cmd= ....
SECRET_1=secret_value

References

caarlos0 published to goreleaser/goreleaser Jan 29, 2024

Published by the National Vulnerability Database Jan 30, 2024

Published to the GitHub Advisory Database Jan 30, 2024

Reviewed Jan 30, 2024

Last updated Jan 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits