schmalz/shared-actions
15
0
Fork 0
Code Issues Pull requests 1 Releases Packages Activity Actions

feat: add output export for Terraform apply action #20

Merged
Michael.Seele merged 1 commit from feature/terraform-apply-outputs into main 2026-05-05 13:22:43 +00:00
Conversation 3 Commits 1 Files changed 2 +23 -2
Michael.Seele commented 2026-05-05 09:23:04 +00:00
Owner
Copy link
No description provided.
Michael.Seele added 1 commit 2026-05-05 09:23:04 +00:00
feat: add output export for Terraform apply action
All checks were successful
validate-shared-actions / validate-shared-actions (pull_request) Successful in 40s
Details
Aikido Security PR Check / Aikido Security Scan (pull_request) Successful in 50s
Details
4b76b06148
requested review from Developers 2026-05-05 09:23:04 +00:00
Markus.Opahle requested changes 2026-05-05 11:26:41 +00:00
Dismissed
Markus.Opahle left a comment
Owner
Copy link

Review summary

Nice feature addition and README update. A few issues should be addressed before merge:

  1. Sensitive output leakage (security)

    • terraform output -json includes metadata for sensitive outputs, and may expose values through step outputs.
    • Current jq exports all outputs unconditionally to $GITHUB_OUTPUT.
    • This can unintentionally propagate secrets to downstream steps.

  2. $GITHUB_OUTPUT format fragility (correctness)

    • Writing key=value directly breaks for multiline values (common for certs/keys), and can be unsafe for special characters.
    • Use the documented multiline format (<<EOF) per output.

Suggested adjustment

  • Filter out sensitive outputs and emit robustly:
terraform -chdir="$TF_DIR" output -json | jq -r '
  to_entries[]
  | select(.value.sensitive != true)
  | .key as $k
  | (.value.value | if type=="string" then . else tojson end) as $v
  | "\($k)<<__TF_OUT__\n\($v)\n__TF_OUT__"
' >> "$GITHUB_OUTPUT"

Minor docs note

  • README currently says “All Terraform outputs are automatically exported.”
    Consider clarifying behavior for sensitive outputs (e.g., excluded by default).
### Review summary Nice feature addition and README update. A few issues should be addressed before merge: 1. **Sensitive output leakage (security)** - `terraform output -json` includes metadata for `sensitive` outputs, and may expose values through step outputs. - Current `jq` exports **all** outputs unconditionally to `$GITHUB_OUTPUT`. - This can unintentionally propagate secrets to downstream steps. 2. **`$GITHUB_OUTPUT` format fragility (correctness)** - Writing `key=value` directly breaks for multiline values (common for certs/keys), and can be unsafe for special characters. - Use the documented multiline format (`<<EOF`) per output. ### Suggested adjustment - Filter out sensitive outputs and emit robustly: ```bash terraform -chdir="$TF_DIR" output -json | jq -r ' to_entries[] | select(.value.sensitive != true) | .key as $k | (.value.value | if type=="string" then . else tojson end) as $v | "\($k)<<__TF_OUT__\n\($v)\n__TF_OUT__" ' >> "$GITHUB_OUTPUT" ``` ### Minor docs note - README currently says “All Terraform outputs are automatically exported.” Consider clarifying behavior for sensitive outputs (e.g., excluded by default).
Michael.Seele force-pushed feature/terraform-apply-outputs from 4b76b06148 to b034e6cd55 2026-05-05 12:29:58 +00:00 Compare
Michael.Seele force-pushed feature/terraform-apply-outputs from b034e6cd55 to a0e6adf3db 2026-05-05 12:32:03 +00:00 Compare
Michael.Seele commented 2026-05-05 12:32:50 +00:00
Author
Owner
Copy link

@Markus.Opahle review again

@Markus.Opahle review again
requested review from Markus.Opahle 2026-05-05 12:41:41 +00:00
Markus.Opahle approved these changes 2026-05-05 13:14:49 +00:00
Markus.Opahle left a comment
Owner
Copy link

LGTM ✓

LGTM ✓
Michael.Seele merged commit afed7e800e into main 2026-05-05 13:22:43 +00:00
Michael.Seele deleted branch feature/terraform-apply-outputs 2026-05-05 13:22:43 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Markus.Opahle
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: schmalz/shared-actions#20
No description provided.
Delete branch "feature/terraform-apply-outputs"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?