[CI] Redact logs stored in DB and retry indexing (#615)

WojciechMazur · web-flow · commit 3c352cfc2151 · 2026-01-20T21:02:58.000+01:00
* Redact secrets form logs stored in ES

* Retry to publish build results in case it fails

* Redact logs using scala script

* Try fix heredocs

* Another fix to heredocs problems, refactor to file

* Fix typo in scala invocaiton
diff --git a/.github/actions/build-project/action.yaml b/.github/actions/build-project/action.yaml
@@ -250,24 +250,41 @@ runs:
             jq -c -r "$path" $ConfigFile 
           }
 
+          echo "Indexing build results..."
           cd /opencb/
 
-          # Remove ASCII coloring from the indexed logs
-          cat build-logs.txt | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2};?)?)?[mGK]//g" > build-logs-uncolored.txt 
+          # Remove ASCII coloring and redact secrets using Scala
+          scala-cli run /opencb/project-builder/redact-logs.scala --server=false -- \
+            build-logs.txt \
+            build-logs-redacted.txt \
+            "${{ inputs.elastic-password }}" \
+            "${{ inputs.github-key }}" \
+            "${{ inputs.container-registry-token }}" \
+            "${{ inputs.akka-repository-token }}"
 
-          /opencb/project-builder/feed-elastic.sh \
-            'https://scala3.westeurope.cloudapp.azure.com/data' \
-            "${{ inputs.project-name }}" \
-            "$(cat build-status.txt)" \
-            "$(date --iso-8601=seconds)" \
-            build-summary.txt \
-            build-logs-uncolored.txt \
-            "$(config .version)" \
-            "${{ inputs.scala-version }}" \
-            "${{ inputs.custom-build-id != '' && inputs.custom-build-id || github.run_id }}" \
-            "${{ steps.job-info.outputs.build-url }}" \
-            "$(cat build-tool.txt)"
-          if [ $? != 0 ]; then 
+          index_exit=0
+          for attempt in 1 2 3; do
+            /opencb/project-builder/feed-elastic.sh \
+              'https://scala3.westeurope.cloudapp.azure.com/data' \
+              "${{ inputs.project-name }}" \
+              "$(cat build-status.txt)" \
+              "$(date --iso-8601=seconds)" \
+              build-summary.txt \
+              build-logs-redacted.txt \
+              "$(config .version)" \
+              "${{ inputs.scala-version }}" \
+              "${{ inputs.custom-build-id != '' && inputs.custom-build-id || github.run_id }}" \
+              "${{ steps.job-info.outputs.build-url }}" \
+              "$(cat build-tool.txt)"
+            index_exit=$?
+            if [ $index_exit -eq 0 ]; then
+              break
+            elif [ $attempt -lt 3 ]; then
+              echo "Indexing failed, would retry"
+              sleep $((attempt * 5))
+            fi
+          done
+          if [ $index_exit != 0 ]; then 
             echo "::warning title=Indexing failure::Indexing results of ${{ inputs.project-name }} failed" 
           fi
 
diff --git a/project-builder/redact-logs.scala b/project-builder/redact-logs.scala
@@ -0,0 +1,25 @@
+import scala.io.Source
+import java.nio.file.{Files, Paths}
+
+@main def redactLogs(
+    inputFile: String,
+    outputFile: String,
+    secrets: String*
+): Unit = {
+  // Read the log file
+  val content = Source.fromFile(inputFile).mkString
+
+  // Remove ANSI color codes
+  val contentWithoutColors = content.replaceAll("\u001B\\[[0-9;]*[mGK]", "")
+
+  // Redact secrets using foldLeft
+  val redactedContent = secrets
+    .filter(_.nonEmpty)
+    .foldLeft(contentWithoutColors) { (acc, secret) =>
+      acc.replace(secret, "<REDACTED>")
+    }
+
+  // Write the redacted logs
+  Files.write(Paths.get(outputFile), redactedContent.getBytes)
+  println(s"Redacted logs written to $outputFile")
+}
