Redact secrets form logs stored in ES

Author: WojciechMazur

.github/actions/build-project/action.yaml

@@ -253,15 +253,43 @@ runs:
           cd /opencb/
 
           # Remove ASCII coloring from the indexed logs
-          cat build-logs.txt | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2};?)?)?[mGK]//g" > build-logs-uncolored.txt 
+          mv build-logs.txt build-logs-redacted.txt
+
+          # Not required in the CI but usefull for local tests
+          sed_inplace () {
+            local expr="$1"
+            local file="$2"
+            if sed --version >/dev/null 2>&1; then
+              sed -r -i "$expr" "$file"
+            else
+              sed -E -i '' "$expr" "$file"
+            fi
+          }
+
+          sed_inplace "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2};?)?)?[mGK]//g" build-logs-redacted.txt
+
+          # Replace secrets before indexing logs
+          redact_one () {
+            local secret="$1"
+            if [[ -n "$secret" ]]; then
+              local escaped
+              escaped="$(printf '%s' "$secret" | sed -e 's/[\/&\\]/\\&/g' -e 's/[].[^$*+?{}()|]/\\&/g')"
+              sed_inplace "s/${escaped}/REDACTED/g" build-logs-redacted.txt
+            fi
+          }
+
+          redact_one "${{ inputs.elastic-password }}"
+          redact_one "${{ inputs.github-key }}"
+          redact_one "${{ inputs.container-registry-token }}"
+          redact_one "${{ inputs.akka-repository-token }}"
 
           /opencb/project-builder/feed-elastic.sh \
             'https://scala3.westeurope.cloudapp.azure.com/data' \
             "${{ inputs.project-name }}" \
             "$(cat build-status.txt)" \
             "$(date --iso-8601=seconds)" \
             build-summary.txt \
-            build-logs-uncolored.txt \
+            build-logs-redacted.txt \
             "$(config .version)" \
             "${{ inputs.scala-version }}" \
             "${{ inputs.custom-build-id != '' && inputs.custom-build-id || github.run_id }}" \