clientsecret is secret

Actions/AL-Go-Helper.ps1

@@ -2412,7 +2412,7 @@ function ConnectAz {
         Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
         if ($azureCredentials.PSObject.Properties.Name -eq 'ClientSecret' -and $azureCredentials.ClientSecret) {
             Write-Host "Connecting to Azure using clientId and clientSecret."
-            $credential = New-Object pscredential -ArgumentList $azureCredentials.ClientId, (ConvertTo-SecureString -String $azureCredentials.ClientSecret -AsPlainText -Force)
+            $credential = New-Object pscredential -ArgumentList $azureCredentials.ClientId, $azureCredentials.ClientSecret
             Connect-AzAccount -ServicePrincipal -Tenant $azureCredentials.TenantId -Credential $credential -WarningAction SilentlyContinue | Out-Null
         }
         else {

Actions/ReadSecrets/ReadSecrets.ps1

@@ -1,4 +1,5 @@
-Param(
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Justification = 'GitHub Secrets come in as plain text')]
+Param(
     [Parameter(HelpMessage = "All GitHub Secrets in compressed JSON format", Mandatory = $true)]
     [string] $gitHubSecrets = "",
     [Parameter(HelpMessage = "Comma-separated list of Secrets to get. Secrets preceded by an asterisk are returned encrypted", Mandatory = $true)]
@@ -100,15 +101,20 @@ try {
                             MaskValue -key "$($secretName).$($keyName)" -value "$($json."$keyName")"
                         }
                     }
-                    if ($json.ContainsKey('clientID') -and !$json.ContainsKey('clientSecret')) {
-                        try {
-                            Write-Host "Query federated token"
-                            $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
-                            $json += @{ "clientAssertion" = $result.value }
-                            $secretValue = $json | ConvertTo-Json -Compress
+                    if ($json.ContainsKey('clientID')) {
+                        if ($json.ContainsKey('clientSecret')) {
+                            $json.clientSecret = ConvertTo-SecureString $json.clientSecret -AsPlainText -Force
                         }
-                        catch {
-                            Write-Host "::WARNING::Unable to get ID_TOKEN, maybe id_token: write permissions are missing"
+                        else {
+                            try {
+                                Write-Host "Query federated token"
+                                $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
+                                $json += @{ "clientAssertion" = $result.value }
+                                $secretValue = $json | ConvertTo-Json -Compress
+                            }
+                            catch {
+                                Write-Host "::WARNING::Unable to get ID_TOKEN, maybe id_token: write permissions are missing"
+                            }
                         }
                     }
                 }

Actions/ReadSecrets/ReadSecretsHelper.psm1

@@ -78,6 +78,7 @@ function GetKeyVaultCredentials {
             if ($creds.PSObject.Properties.Name -eq 'ClientSecret' -and $creds.ClientSecret) {
                 # Mask ClientSecret
                 MaskValue -key 'ClientSecret' -value $creds.ClientSecret
+                $creds.ClientSecret = ConvertTo-SecureString $creds.ClientSecret -AsPlainText -Force
             }
             # Check thet $creds contains the needed properties
             $creds.ClientId | Out-Null