Stop logging full access token secret (#321)

bastjan · web-flow · commit e6d67893f0a4 · 2025-08-13T19:03:10.000+02:00
Note that the log was truncated before any token was exposed.
diff --git a/controllers/gitrepo/steps.go b/controllers/gitrepo/steps.go
@@ -189,7 +189,11 @@ func ensureAccessToken(ctx context.Context, cli client.Client, instance *synv1al
 	if err != nil {
 		return fmt.Errorf("error creating or updating access token secret: %w", err)
 	}
-	log.FromContext(ctx).Info("Reconciled secret", "secret", secret, "op", op)
+	log.FromContext(ctx).Info("Reconciled secret",
+		"secret", secret.Name,
+		"pat_uid", secret.Annotations[LieutenantAccessTokenUIDAnnotation],
+		"pat_expires_at", secret.Annotations[LieutenantAccessTokenExpiresAtAnnotation],
+		"op", op)
 
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,11 @@ func ensureAccessToken(ctx context.Context, cli client.Client, instance *synv1al`
`189`	`189`	`if err != nil {`
`190`	`190`	`return fmt.Errorf("error creating or updating access token secret: %w", err)`
`191`	`191`	`}`
`192`		`- log.FromContext(ctx).Info("Reconciled secret", "secret", secret, "op", op)`
	`192`	`+ log.FromContext(ctx).Info("Reconciled secret",`
	`193`	`+ "secret", secret.Name,`
	`194`	`+ "pat_uid", secret.Annotations[LieutenantAccessTokenUIDAnnotation],`
	`195`	`+ "pat_expires_at", secret.Annotations[LieutenantAccessTokenExpiresAtAnnotation],`
	`196`	`+ "op", op)`
`193`	`197`
`194`	`198`	`return nil`
`195`	`199`	`}`