Merge pull request #48 from retailnext/copilot/add-hide-outputs-variable

Add `hide_outputs` input to suppress command output from Actions log

Author: eriksw

README.md

@@ -24,6 +24,7 @@ The outputs `stdout` and `stderr` have been replaced with `stdout_file` and
 - Capture standard output and standard error to temporary files
 - Output file paths available as action outputs
 - Stream output in real-time to the workflow logs
+- Optionally hide outputs from the workflow log to protect sensitive data
 - Forward signals (SIGINT, SIGTERM, SIGQUIT, SIGHUP, SIGPIPE, SIGABRT) to the
   running command
 - Commands are executed directly without a shell (no shell operators like `|`,
@@ -76,6 +77,17 @@ be considered successful. For example, some linters return specific exit codes
 for warnings vs errors, or you may want to accept multiple exit codes as valid
 outcomes.
 
+### `hide_outputs`
+
+**Optional** When set to `"true"`, the stdout and stderr from the command are
+only written to the respective output files and are not written to the
+stdout/stderr of the action itself. Default is `"false"`.
+
+This is useful for commands that emit sensitive data (e.g., secrets, tokens) to
+their output. The outputs are hidden from the GitHub Actions log but remain
+available to subsequent workflow steps via the `stdout_file` and `stderr_file`
+output paths.
+
 ## Outputs
 
 ### `stdout_file`
@@ -159,3 +171,19 @@ The exit code of the executed command (as a string).
     # Accept 0, any code from 10-15, and 20 as success
     success_exit_codes: '0,10-15,20'
 ```
+
+### Hide sensitive outputs from the log
+
+```yaml
+- name: Fetch Secret Data
+  id: fetch
+  uses: retailnext/exec-action@main
+  with:
+    command: 'my-tool --output-secret'
+    hide_outputs: 'true'
+
+- name: Process Secret Data
+  run: |
+    # The output is hidden from the log but available via the file path
+    process-data < "${{ steps.fetch.outputs.stdout_file }}"
+```

__tests__/main.test.ts

@@ -110,6 +110,45 @@ describe('main.ts', () => {
       expect(core.setFailed).not.toHaveBeenCalled()
     })
 
+    it('Hides outputs from process streams when hide_outputs is true', async () => {
+      core.getInput.mockImplementation((name: string) => {
+        if (name === 'command') return 'echo "Hello World"'
+        if (name === 'success_exit_codes') return '0'
+        if (name === 'hide_outputs') return 'true'
+        return ''
+      })
+
+      await run()
+
+      // Verify outputs were still set with file paths
+      expect(core.setOutput).toHaveBeenCalledWith(
+        'stdout_file',
+        expect.stringMatching(/exec-.*\.stdout$/)
+      )
+      expect(core.setOutput).toHaveBeenCalledWith(
+        'stderr_file',
+        expect.stringMatching(/exec-.*\.stderr$/)
+      )
+      expect(core.setOutput).toHaveBeenCalledWith('exit_code', '0')
+
+      // Verify the action did not fail
+      expect(core.setFailed).not.toHaveBeenCalled()
+    })
+
+    it('Does not hide outputs when hide_outputs is false', async () => {
+      core.getInput.mockImplementation((name: string) => {
+        if (name === 'command') return 'echo "Hello World"'
+        if (name === 'success_exit_codes') return '0'
+        if (name === 'hide_outputs') return 'false'
+        return ''
+      })
+
+      await run()
+
+      // Verify the action did not fail
+      expect(core.setFailed).not.toHaveBeenCalled()
+    })
+
     it('Handles execution errors', async () => {
       // Use parseCommand with invalid input to trigger an error
       core.getInput.mockImplementation((name: string) => {
@@ -308,6 +347,23 @@ describe('main.ts', () => {
       expect(stdoutContent.length).toBeGreaterThan(0)
     })
 
+    it('Does not forward outputs to process streams when hideOutputs is true', async () => {
+      const result = await executeCommand(
+        'sh -c "echo stdout message && echo stderr message >&2"',
+        { hideOutputs: true }
+      )
+
+      expect(result.exitCode).toBe(0)
+
+      // Verify stdout file still has the output content
+      const stdoutContent = await readFile(result.stdoutFile, 'utf-8')
+      expect(stdoutContent).toContain('stdout message')
+
+      // Verify stderr file still has the output content
+      const stderrContent = await readFile(result.stderrFile, 'utf-8')
+      expect(stderrContent).toContain('stderr message')
+    })
+
     it('Captures both stdout and stderr to separate files', async () => {
       const result = await executeCommand(
         'sh -c "echo stdout message && echo stderr message >&2"'

action.yml

@@ -18,6 +18,15 @@ inputs:
       (e.g., "0,1,2") or ranges (e.g., "0-2,5,10-15"). Default is "0".
     required: false
     default: '0'
+  hide_outputs:
+    description: >
+      When set to true, stdout and stderr from the command are only written to
+      the respective output files and are not written to the stdout/stderr of
+      the action itself. This hides the outputs from the GitHub Actions log
+      while still making them available to subsequent workflow steps via the
+      output files. Default is "false".
+    required: false
+    default: 'false'
 
 # Define your outputs here.
 outputs:

badges/coverage.svg

@@ -15,15 +15,18 @@ export async function run(): Promise<void> {
   try {
     const command: string = core.getInput('command', { required: true })
     const successExitCodesInput: string = core.getInput('success_exit_codes')
+    const hideOutputs: boolean =
+      core.getInput('hide_outputs').toLowerCase() === 'true'
 
     core.debug(`Executing command: ${command}`)
     core.debug(`Success exit codes: ${successExitCodesInput}`)
+    core.debug(`Hide outputs: ${hideOutputs}`)
 
     // Parse success exit codes
     const successExitCodes = parseSuccessExitCodes(successExitCodesInput)
 
     // Execute the command and capture outputs
-    const result = await executeCommand(command)
+    const result = await executeCommand(command, { hideOutputs })
 
     // Set outputs for other workflow steps to use
     core.setOutput('stdout_file', result.stdoutFile)
@@ -204,13 +207,21 @@ function setupSignalHandlers(child: ReturnType<typeof spawn>): () => void {
  * Execute a command and capture its output to files.
  *
  * @param command The command to execute.
+ * @param options Optional execution options.
+ * @param options.hideOutputs When true, stdout and stderr are only written to
+ *   files and are not forwarded to process.stdout/process.stderr.
  * @returns A promise that resolves with file paths and exit code.
  */
-export async function executeCommand(command: string): Promise<{
+export async function executeCommand(
+  command: string,
+  options: { hideOutputs?: boolean } = {}
+): Promise<{
   stdoutFile: string
   stderrFile: string
   exitCode: number
 }> {
+  const { hideOutputs = false } = options
+
   // Parse command into executable and arguments
   // Simple parsing that splits on whitespace while respecting quoted strings
   const args = parseCommand(command)
@@ -278,20 +289,24 @@ export async function executeCommand(command: string): Promise<{
       checkIfComplete()
     })
 
-    // Pipe stdout to both file and process.stdout
+    // Pipe stdout to file, and optionally to process.stdout
     // By default, stream.end() is called on the destination when source emits 'end'
     if (child.stdout) {
       child.stdout.pipe(stdoutFileStream)
-      child.stdout.pipe(process.stdout)
+      if (!hideOutputs) {
+        child.stdout.pipe(process.stdout)
+      }
     } else {
       // No stdout, manually end the stream
       stdoutFileStream.end()
     }
 
-    // Pipe stderr to both file and process.stderr
+    // Pipe stderr to file, and optionally to process.stderr
     if (child.stderr) {
       child.stderr.pipe(stderrFileStream)
-      child.stderr.pipe(process.stderr)
+      if (!hideOutputs) {
+        child.stderr.pipe(process.stderr)
+      }
     } else {
       // No stderr, manually end the stream
       stderrFileStream.end()