AttestSBOM() already uses WithSecretVariable + $REGISTRY_PASSWORD for credential handling, but Sign() still extracts the secret via Plaintext(ctx) and passes it as a direct CLI argument.
Before (Sign function logs):
104 : ┆ Secret.plaintext: String!
110 : ┆ withExec cosign sign ... --registry-password ***
After (matching AttestSBOM pattern):
164 : ┆ Container.withSecretVariable(name: "REGISTRY_PASSWORD", secret: Secret!)
169 : ┆ withExec sh -c 'cosign sign ... --registry-password $REGISTRY_PASSWORD ...'
Dagger does mask the value as ***, so it's not a critical leak but making Sign() follow the same pattern as AttestSBOM() improves consistency and makes the logs less confusing (a *** in logs can alarm anyone reviewing them).
AttestSBOM()already usesWithSecretVariable+$REGISTRY_PASSWORDfor credential handling, butSign()still extracts the secret viaPlaintext(ctx)and passes it as a direct CLI argument.Before (Sign function logs):
After (matching AttestSBOM pattern):
Dagger does mask the value as
***, so it's not a critical leak but makingSign()follow the same pattern asAttestSBOM()improves consistency and makes the logs less confusing (a***in logs can alarm anyone reviewing them).