CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
9.0%
Hello 👋
goreleaser release --debug
log shows secret values used in the in the custom publisher.
How to reproduce the issue:
cmd
field and to provide a secret to env
#.goreleaser.yml
publishers:
- name: my-publisher
# IDs of the artifacts we want to sign
ids:
- linux_archives
- linux_package
cmd: "./build/package/linux_notarize.sh"
env:
- VERSION={{ .Version }}
- SECRET_1={{.Env.SECRET_1}}
- SECRET_2={{.Env.SECRET_2}}
goreleaser release --debug
You should see your secret value in the gorelease log. The log shows also the GITHUB_TOKEN
Example:
running cmd= ....
SECRET_1=secret_value