redact BCIT secrets from logs

franco-zalamena-iterable · franco-zalamena-iterable · commit c6aee2bc172f · 2026-05-06T13:37:18.000+01:00
diff --git a/.github/workflows/inapp-e2e-tests.yml b/.github/workflows/inapp-e2e-tests.yml
@@ -190,6 +190,10 @@ jobs:
           ITERABLE_SERVER_API_KEY: ${{ secrets.BCIT_ITERABLE_SERVER_API_KEY }}
           ITERABLE_TEST_USER_EMAIL: ${{ secrets.BCIT_ITERABLE_TEST_USER_EMAIL }}
 
+      # SDK-170: do NOT upload integration-tests/build/outputs/ — that path contains the
+      # built APKs which embed BuildConfig.ITERABLE_API_KEY and BuildConfig.ITERABLE_SERVER_API_KEY
+      # as compile-time string constants. On a public repo, anyone who can download the
+      # artifact could `strings`/`apktool` the APK and recover both keys.
       - name: Upload E2E diagnostics
         if: always()
         uses: actions/upload-artifact@v4
@@ -198,7 +202,6 @@ jobs:
           path: |
             integration-tests/build/diagnostics/
             integration-tests/build/reports/
-            integration-tests/build/outputs/
           if-no-files-found: warn
           retention-days: 7
           
diff --git a/integration-tests/src/androidTest/java/com/iterable/integration/tests/InAppMessageIntegrationTest.kt b/integration-tests/src/androidTest/java/com/iterable/integration/tests/InAppMessageIntegrationTest.kt
@@ -130,10 +130,10 @@ class InAppMessageIntegrationTest : BaseIntegrationTest() {
         Assert.assertTrue("User should be signed in", userSignedIn)
         Log.d(TAG, "✅ User signed in successfully: ${TestConstants.TEST_USER_EMAIL}")
 
-        // Step 2: Debug API key configuration
-        Log.d(TAG, "🔍 Debug: ITERABLE_API_KEY = ${BuildConfig.ITERABLE_API_KEY}")
-        Log.d(TAG, "🔍 Debug: ITERABLE_SERVER_API_KEY = ${BuildConfig.ITERABLE_SERVER_API_KEY}")
-        Log.d(TAG, "🔍 Debug: ITERABLE_TEST_USER_EMAIL = ${BuildConfig.ITERABLE_TEST_USER_EMAIL}")
+        // SDK-170: log presence/length only (never values) — these end up in CI logcat artifacts.
+        Log.d(TAG, "API key configured: length=${BuildConfig.ITERABLE_API_KEY.length}")
+        Log.d(TAG, "Server API key configured: length=${BuildConfig.ITERABLE_SERVER_API_KEY.length}")
+        Log.d(TAG, "Test user email configured: length=${BuildConfig.ITERABLE_TEST_USER_EMAIL.length}")
 
         // Step 3: Try to trigger campaign via API (but don't fail if it doesn't work)
         Log.d(TAG, "🎯 Step 3: Attempting to trigger campaign via API...")
diff --git a/integration-tests/src/main/java/com/iterable/integration/tests/MainActivity.kt b/integration-tests/src/main/java/com/iterable/integration/tests/MainActivity.kt
@@ -89,8 +89,16 @@ class MainActivity : AppCompatActivity() {
     }
     
     private fun setupUI() {
-        // Set API key text
-        findViewById<android.widget.TextView>(R.id.tvApiKey).text = "API Key: ${BuildConfig.ITERABLE_API_KEY}"
+        // SDK-170: never render the full API key into the view hierarchy — the integration
+        // tests CI captures hierarchy.xml and screenshot.png as artifacts on a public repo.
+        // Show only enough to confirm a non-empty key was loaded.
+        val apiKey = BuildConfig.ITERABLE_API_KEY
+        val keyDisplay = when {
+            apiKey.isEmpty() -> "API Key: (empty)"
+            apiKey.length < 8 -> "API Key: (length=${apiKey.length})"
+            else -> "API Key: ****${apiKey.takeLast(4)} (length=${apiKey.length})"
+        }
+        findViewById<android.widget.TextView>(R.id.tvApiKey).text = keyDisplay
         
         findViewById<android.widget.Button>(R.id.btnPushNotifications).setOnClickListener {
             startActivity(Intent(this@MainActivity, PushNotificationTestActivity::class.java))
