From ce304cf6ff8e49250829d239d4eb52ef5999db3c Mon Sep 17 00:00:00 2001
From: Andrii Sosiuk <andrii.sosiuk@seco.com>
Date: Mon, 3 Mar 2025 11:31:44 +0100
Subject: [PATCH] [CICD][BUILD] Mask sensitive environment variables in
 build:pass job

  The build:pass job prints environment variables, some of which
  may contain sensitive data.
  This update ensures that variables with names matching substrings
  in FILTER_LIST have their values masked
---
 build-pipeline-yocto.yml.jinja2 | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/build-pipeline-yocto.yml.jinja2 b/build-pipeline-yocto.yml.jinja2
index 5020b20..b23e689 100644
--- a/build-pipeline-yocto.yml.jinja2
+++ b/build-pipeline-yocto.yml.jinja2
@@ -37,8 +37,25 @@ build:pass:
   needs: []
   timeout: 2m
   image: {{ CI_IMAGE_PYTHON }}
+  variables:
+    FILTER_LIST: "TOKEN KEY"
   script:
-    - printenv
+    # Mask the value of environment variables if their names match any substring in FILTER_LIST
+    - |
+        printenv | awk -F= -v filters="$FILTER_LIST" '
+        BEGIN {
+            IGNORECASE = 1;
+            split(filters, filter_array, " ");
+        }
+        {
+            for (i in filter_array) {
+                if (index(toupper($1), toupper(filter_array[i])) > 0) {
+                    print $1 "=[MASKED]";
+                    next;
+                }
+            }
+            print;
+        }'
     - echo "Build successful"
     - echo "This is the value of the MANUAL_BUILD variable '${MANUAL_BUILD}'"
 
-- 
GitLab