support escaping multiline secrets

sean-breen · sean-breen · commit 4e0b152317b6 · 2026-01-26T14:52:07.000Z
diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml
@@ -37,9 +37,10 @@ runs:
             echo "Processing pattern: $pattern"
             for secret_name in $(az keyvault secret list --vault-name ${{ inputs.keyvault }} --query "[?contains(name, '$pattern')].name" -o tsv); do
               echo "Sync secret: env.$secret_name"
-              secret_value="$(az keyvault secret show --only-show-errors --name "$secret_name" --vault-name ${{ inputs.keyvault }} --query value -o tsv)"
-              echo '::add-mask::$(echo "$secret_value" | sed ':a;N;$!ba;s/%/%25/g' | sed ':a;N;$!ba;s/\r/%0D/g' | sed ':a;N;$!ba;s/\n/%0A/g')'
-              echo "$secret_name=$secret_value" >> "$GITHUB_ENV"
+              secret_value=$(az keyvault secret show --only-show-errors --name "$secret_name" --vault-name ${{ inputs.keyvault }} --query value -o tsv)
+              escaped_secret=$(printf '%s' "$secret_value" | sed ':a;N;$!ba;s/%/%25/g' | sed ':a;N;$!ba;s/\r/%0D/g' | sed ':a;N;$!ba;s/\n/%0A/g')
+              echo "::add-mask::$escaped_secret"
+              echo "$secret_name=$escaped_secret" >> $GITHUB_ENV
             done
           done
         IFS=$old_IFS
