Pkg.build writes full environment, including secrets, to deps/build.log #130
Description
Summary
Pkg.build("SparseIR") writes the full cargo command object to deps/build.log, and Julia renders that Cmd as setenv(...) with the complete environment attached. In CI or other secret-bearing environments, that persists secret values such as GH_TOKEN into the build log on disk.
Reproducer
I reproduced this from the current checkout while testing the documented downstream-user flow:
using Pkg
Pkg.activate(mktempdir())
Pkg.develop(path="/path/to/SparseIR.jl")
Pkg.instantiate()
Pkg.build("SparseIR")Then inspect deps/build.log in the package checkout.
Observed behavior
The log contains a line like:
setenv(`/home/.../cargo build ...`, [ ..., "GH_TOKEN=***", ... ])
In my run, deps/build.log contained the active CI GH_TOKEN value verbatim, along with many other environment variables.
Likely cause
deps/build_support.jl logs the command directly before running it:
println(log_io, command)Because command carries the environment, this serializes the full setenv(...) wrapper into the log.
Relevant lines:
deps/build_support.jl:235deps/build_support.jl:236
Why this matters
Even though deps/build.log is gitignored, it still leaves secrets at rest in the workspace and can be exposed by CI artifact collection, support bundles, or accidental sharing of build logs.
Expected behavior
The build log should record the command path/arguments without serializing secret-bearing environment variables, or should redact sensitive keys before writing.