I have a docker image build running with plugins/docker that specifies a secret for npmrc that contains newlines (itself sourced from Vault). I’ve confirmed that the output has a simple string without newlines for a build_args_from_env is indeed hidden, but the arg for npmrc is not (I’m assuming it’s because the newlines).
Drone is only capable of masking single-line secrets. If secrets are split across multiple lines they cannot be masked. You could pass the secret as a base64 encoded value to work around this limitation.
I have an idea for how we might mask multi-line secrets. I will run some tests and submit a patch to see if we can get it working.
The only thing to note is that masking secrets is at the mercy of buffering and flushing. It is possible the stdout stream could be flushed in a manner that cuts the secret in half, making it impossible for us to detect it. This is an edge case and may never actually surface in the real world, but I feel compelled to document the possibility regardless.
It basically treats each line of a multi-line secret as an individual secret. So instead of searching for the secret, we search for each line individually. This makes it easier to detect multi-line secrets in streams, which are buffered and periodically flushed which otherwise makes this task quite difficult. The unit tests are passing, but will be interesting to see if this approach works in practice.