store the tokens in files and never display them

action.yml

@@ -81,14 +81,19 @@ runs:
           verbosity="$verbosity --debug"
         fi
 
+        origin_token=$(pwd)/origin.token
+        echo -n ${{ inputs.origin-token }} > $origin_token
+        destination_token=$(pwd)/destination.token
+        echo -n ${{ inputs.destination-token }} > $destination_token
+
         cascading-pr.sh $verbosity \
                         --origin-url "${{ inputs.origin-url }}" \
                         --origin-repo "${{ inputs.origin-repo }}" \
-                        --origin-token "${{ inputs.origin-token }}" \
+                        --origin-token "@$origin_token" \
                         --origin-pr "${{ inputs.origin-pr }}" \
                         --destination-url "${{ inputs.destination-url }}" \
                         --destination-repo "${{ inputs.destination-repo }}" \
-                        --destination-token "${{ inputs.destination-token }}" \
+                        --destination-token "@$destination_token" \
                         --destination-branch "${{ inputs.destination-branch }}" \
                         --update "${{ inputs.update }}" \
                         --prefix "${{ inputs.prefix }}" \

cascading-pr.sh

@@ -117,11 +117,12 @@ function upsert_clone() {
 
     local fetch=true
     if ! test -d $TMPDIR/$direction; then
-	git clone $clone -b $branch $TMPDIR/$direction
+	git -c credential.helper="store --file=$TMPDIR/$direction.git-credentials" clone $clone -b $branch $TMPDIR/$direction
 	fetch=false
     fi
     (
 	cd $TMPDIR/$direction
+	git config credential.helper "store --file=$TMPDIR/$direction.git-credentials"
 	if $fetch; then
 	    git fetch $direction
 	fi
@@ -163,16 +164,33 @@ function update() {
     push destination ${options[destination_head]} ${options[destination_clone]}
 }
 
+function set_clone() {
+    local direction=$1
+    local token=${options[${direction}_token]}
+
+    if [[ "$token" =~ ^@ ]] ; then
+	local file=${token##@}
+	(
+	    echo -n ${options[${direction}_scheme]}://any:
+	    cat $file
+	    echo @${options[${direction}_host_port]}/${options[${direction}_repo]}
+	) > $TMPDIR/$direction.git-credentials
+    else
+	echo ${options[${direction}_scheme]}://any:${options[${direction}_token]}@${options[${direction}_host_port]}/${options[${direction}_repo]}  > $TMPDIR/$direction.git-credentials
+    fi
+    options[${direction}_clone]=${options[${direction}_scheme]}://${options[${direction}_host_port]}/${options[${direction}_repo]}
+}
+
 function finalize_options() {
     options[origin_api]=${options[origin_url]}/api/v1/repos/${options[origin_repo]}
     options[origin_scheme]=$(scheme ${options[origin_url]})
     options[origin_host_port]=$(host_port ${options[origin_url]})
-    options[origin_clone]=${options[origin_scheme]}://any:${options[origin_token]}@${options[origin_host_port]}/${options[origin_repo]}
+    set_clone origin
     options[origin_head]=$(pr_head origin)
     options[destination_api]=${options[destination_url]}/api/v1/repos/${options[destination_repo]}
     options[destination_scheme]=$(scheme ${options[destination_url]})
     options[destination_host_port]=$(host_port ${options[destination_url]})
-    options[destination_clone]=${options[destination_scheme]}://any:${options[destination_token]}@${options[destination_host_port]}/${options[destination_repo]}
+    set_clone destination
     options[destination_base]=${options[destination_branch]}
     : ${options[prefix]:=${options[origin_repo]}}
     options[destination_head]=${options[prefix]}-${options[origin_pr]}