From cfb0b5a7cc222ae4411d4aeb00aa4634adc064a8 Mon Sep 17 00:00:00 2001
From: Vaughn Dice <vadice@microsoft.com>
Date: Wed, 28 Aug 2019 11:37:38 -0600
Subject: [PATCH] fix(brigade.js): prevent token leak if github-release fails

---
 brigade.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/brigade.js b/brigade.js
index 220475f4..909e3d97 100644
--- a/brigade.js
+++ b/brigade.js
@@ -97,6 +97,7 @@ function githubRelease(p, tag) {
     "GITHUB_REPO": parts[1],
     "GITHUB_TOKEN": p.secrets.ghToken,
   };
+  job.shell = "/bin/bash";
   job.tasks = [
     "go get github.com/aktau/github-release",
     `cd ${localPath}`,
@@ -105,9 +106,10 @@ function githubRelease(p, tag) {
     `github-release release \
       -t ${tag} \
       -n "${parts[1]} ${tag}" \
-      -d "$(git log --no-merges --pretty=format:'- %s %H (%aN)' HEAD ^$last_tag)" \
-      || echo "release ${tag} exists"`,
-    `for bin in ./bin/*; do github-release upload -f $bin -n $(basename $bin) -t ${tag}; done`
+      -d "$(git log --no-merges --pretty=format:'- %s %H (%aN)' HEAD ^$last_tag)" 2>&1 | sed -e "s/\${GITHUB_TOKEN}/<REDACTED>/"`,
+    `for bin in ./bin/*; do \
+      github-release upload -f $bin -n $(basename $bin) -t ${tag} 2>&1 | sed -e "s/\${GITHUB_TOKEN}/<REDACTED>/"; \
+    done`
   ];
   console.log(job.tasks);
   console.log(`releases at https://github.com/${p.repo.name}/releases/tag/${tag}`);