Use diff -q during plan parity to prevent leaking secrets#498
Use diff -q during plan parity to prevent leaking secrets#498rdhar merged 3 commits intoOP5dev:mainfrom
diff -q during plan parity to prevent leaking secrets#498Conversation
Currently, differences found during the parity check will be output to stdout and thus the logs. This can leak secrets, as can be seen [here](https://github.com/perchnet/p/actions/runs/16870494518/job/47784366635#step:11:520) This silences the diff output by doing the check with `diff -q`.
rdhar
left a comment
There was a problem hiding this comment.
Hi @b-, many thanks for this excellent PR! This'll sure to be included in the next release of TF-via-PR.
I'm surprised/worried it hadn't been raised earlier -- I guess most folks don't use the plan-parity: true option, let alone pay attention to workflow logs. 😅
On a different tangent, I have clocked this message of yours and intend on responding to it in bits & pieces to approach your ideal workflow. Off the top of my head, I recall your having to commit with no-op formatting changes and store the output in a separate file. For that, in addition to format: true, we can pass arg-check: false and arg-write: true (see doc) to allow fmt to update improperly formatted files automatically instead of exiting out.
Currently, differences found during the parity check will be output to stdout and thus the logs. This can leak secrets, as can be seen here
This silences the diff output by doing the check with
diff -q.