Fix action result key collisions and secret leak in substitute mode#61
Merged
Fix action result key collisions and secret leak in substitute mode#61
Conversation
execute_action's result dict keyed entries on f"execute: {action}", so two
identical actions in one batch would collide and the first result would be
overwritten. With substitute=True, the substituted action (with ${env:...}
already expanded) was also written into the log line and the result key,
exposing secrets pulled in via ${env:...}.
- Key results as f"execute[{index}]: {display}" so duplicate actions keep
both results, matching execute_action_parallel's existing format.
- Track the original (un-substituted) action separately and use it for the
result key, the success log line, and the dry_run payload log; only the
executed callable receives the substituted payload.
- Update docs (en / zh-TW / zh-CN) and the http server test for the new
key format.
- Add regression tests for both fixes in test_action_executor.
This was referenced Apr 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ActionExecutor.execute_actionkeyed results asf"execute: {action}", so two identical actions in one batch collided and the first result was silently overwritten. Now keyed asf"execute[{index}]: {display}", matchingexecute_action_parallel.substitute=True, the substituted action (with${env:SECRET}already expanded) was being written into both the log line and the result-dict key, leaking secrets. Now the original un-substituted action is used for the key, the success log, and the dry-run payload log; only the callable itself receives the substituted payload.Test plan
pytest tests/test_action_executor.py tests/test_substitution.py tests/test_http_server.py tests/test_action_registry.py— 33 passedmypy automation_file/core/action_executor.py— cleantest_duplicate_actions_do_not_collide— two identical echoes both surface in the result dicttest_substitute_does_not_leak_into_result_key—${env:FA_EXEC_SECRET}literal stays in the key, expanded value only reaches the callable