NO-JIRA Mask proxy URL and deduplicate test helper

- Register HTTPS_PROXY as a secret via core.setSecret so embedded credentials (e.g. http://user:pass@proxy:8080) cannot leak to CI logs, and drop the URL from the info message. - Hoist clearProxyEnv()/proxyVars to the outer describe scope in the GPG verification tests (Sonar S4144). dist/ regenerated; this also drops stale chunk files that were no longer emitted by the current rollup config. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 18:05:57 +00:00 · 2026-05-18 14:39:23 +02:00 · 2026-05-18 14:39:23 +02:00 · 2575ba4966
commit 2575ba4966
parent 305fabb1f1
11 changed files with 24 additions and 57817 deletions
--- a/dist/core-DpWEmnbG.js
+++ b/dist/core-DpWEmnbG.js
--- a/dist/core-DpWEmnbG.js.map
+++ b/dist/core-DpWEmnbG.js.map
--- a/dist/exec-BTlTa8sL.js
+++ b/dist/exec-BTlTa8sL.js
--- a/dist/exec-BTlTa8sL.js.map
+++ b/dist/exec-BTlTa8sL.js.map
--- a/dist/exec-BeYcktvA.js
+++ b/dist/exec-BeYcktvA.js
@ -31829,5 +31829,5 @@ function requireExec () {

 var execExports = requireExec();

-export { HttpClient as H, info as a, isDebug as b, cp as c, debug as d, exists as e, execExports as f, warning as g, addPath as h, isRooted as i, getInput as j, getBooleanInput as k, core as l, mkdirP as m, setOutput as n, startGroup as o, endGroup as p, rmRF as r, setFailed as s, which as w };
-//# sourceMappingURL=exec-zlpfwmpH.js.map
+export { HttpClient as H, info as a, isDebug as b, cp as c, debug as d, exists as e, execExports as f, warning as g, addPath as h, isRooted as i, setFailed as j, getInput as k, getBooleanInput as l, mkdirP as m, core as n, setOutput as o, startGroup as p, endGroup as q, rmRF as r, setSecret as s, which as w };
+//# sourceMappingURL=exec-BeYcktvA.js.map
--- a/dist/exec-BeYcktvA.js.map
+++ b/dist/exec-BeYcktvA.js.map
--- a/dist/index.js
+++ b/dist/index.js
@ -1,4 +1,4 @@
-import { i as isRooted, w as which, e as exists, a as info, d as debug, m as mkdirP, c as cp, H as HttpClient, r as rmRF, b as isDebug, f as execExports, g as warning, h as addPath, s as setFailed, j as getInput, k as getBooleanInput, l as core } from './exec-zlpfwmpH.js';
+import { i as isRooted, w as which, e as exists, a as info, d as debug, m as mkdirP, c as cp, H as HttpClient, r as rmRF, b as isDebug, f as execExports, g as warning, s as setSecret, h as addPath, j as setFailed, k as getInput, l as getBooleanInput, n as core } from './exec-BeYcktvA.js';
 import * as crypto from 'crypto';
 import * as fs from 'fs';
 import * as os from 'os';
@ -4003,7 +4003,11 @@ async function tryImportKey(gpgHome, keyFingerprint, keyserver) {
  const proxyUrl = getProxyFromEnv();

  if (proxyUrl) {
-    info(`Using proxy for keyserver access: ${proxyUrl}`);
+    // The URL may carry credentials (e.g. http://user:pass@proxy:8080).
+    // Register it as a secret so future logging (here or downstream) is
+    // automatically redacted
+    setSecret(proxyUrl);
+    info("Using HTTPS_PROXY for keyserver access");
  }

  await execExports.exec(
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/install-build-wrapper.js
+++ b/dist/install-build-wrapper.js
@ -1,4 +1,4 @@
-import { f as execExports, h as addPath, a as info, n as setOutput, s as setFailed, o as startGroup, p as endGroup } from './exec-zlpfwmpH.js';
+import { f as execExports, h as addPath, a as info, o as setOutput, j as setFailed, p as startGroup, q as endGroup } from './exec-BeYcktvA.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import 'os';
--- a/src/main/tests/gpg-verification-mocked.test.js
+++ b/src/main/tests/gpg-verification-mocked.test.js
@ -38,6 +38,14 @@ function createTrackedGpgHome(tempDirs) {
 describe("gpg-verification with mocked exec", () => {
  let tempDirs = [];

+  const proxyVars = ["HTTPS_PROXY", "https_proxy", "HTTP_PROXY", "http_proxy"];
+
+  function clearProxyEnv() {
+    for (const v of proxyVars) {
+      delete process.env[v];
+    }
+  }
+
  afterEach(() => {
    // Clean up temporary directories
    tempDirs.forEach((dir) => {
@ -485,14 +493,6 @@ describe("gpg-verification with mocked exec", () => {
  });

  describe("getProxyFromEnv", () => {
-    const proxyVars = ["HTTPS_PROXY", "https_proxy", "HTTP_PROXY", "http_proxy"];
-
-    function clearProxyEnv() {
-      for (const v of proxyVars) {
-        delete process.env[v];
-      }
-    }
-
    afterEach(() => {
      clearProxyEnv();
    });
@ -536,14 +536,6 @@ describe("gpg-verification with mocked exec", () => {
  });

  describe("tryImportKey with proxy", () => {
-    const proxyVars = ["HTTPS_PROXY", "https_proxy", "HTTP_PROXY", "http_proxy"];
-
-    function clearProxyEnv() {
-      for (const v of proxyVars) {
-        delete process.env[v];
-      }
-    }
-
    afterEach(() => {
      clearProxyEnv();
    });
--- a/src/main/gpg-verification.js
+++ b/src/main/gpg-verification.js
@ -151,7 +151,11 @@ async function tryImportKey(gpgHome, keyFingerprint, keyserver) {
  const proxyUrl = getProxyFromEnv();

  if (proxyUrl) {
-    core.info(`Using proxy for keyserver access: ${proxyUrl}`);
+    // The URL may carry credentials (e.g. http://user:pass@proxy:8080).
+    // Register it as a secret so future logging (here or downstream) is
+    // automatically redacted
+    core.setSecret(proxyUrl);
+    core.info("Using HTTPS_PROXY for keyserver access");
  }

  await exec.exec(