DriftFence AWS example
Repo-history example

amazon-ecr-login: one password-masking change the repo's own checks missed.

In a measured replay of six real first-parent commits from aws-actions/amazon-ecr-login, the same selected checks passed in standard CI every time. DriftFence stayed quiet through five commits, then flagged one password-masking change.

With approved login and output behavior fixed in Git, DriftFence would have started flagging the moment explicit mask-password: true began masking forwarded docker password outputs.

See the first flagged change Back to results summary
First divergence

Explicit mask-password: true started masking forwarded docker password outputs.

The first five commits in this window stayed conforming. On the sixth commit, the action started calling core.setSecret for both forwarded docker passwords when explicit masking was requested, while the same selected checks still passed in standard CI.

Blocked case

mask-password: true stopped leaving forwarded passwords unmasked.

In the approved baseline, the selected login path forwarded both docker password outputs without masking them first. After the feature landed, the action started masking those forwarded passwords before keeping the same outputs.

DriftFence report
Scenario
amazon-ecr-login.ecr.credentials.masked-output
Expected
output.maskedPasswordCount = 0
Observed
output.maskedPasswordCount = 2
Classification
violating

The nearby mask-password: false and skip-logout: true controls did not trigger DriftFence on the same six-commit slice.

Across the replay window

Five quiet commits, then one clear masking onset.

This replay is stronger than a recurring-all-red window because the onset comes after five quiet commits on the same selected test surface and keeps two matched quiet controls.

Quiet commits first

Five unrelated commits stayed conforming

  • Jest and ESLint bumps, two dist refreshes, and one AWS SDK bump all stayed quiet.
  • None of those commits changed the protected password masking or cleanup behavior.
  • The selected login/output surface stayed conforming until the feature commit landed.
Then the onset

One feature started masking the forwarded passwords

  • 98f33d2 added the optional mask-password input.
  • With mask-password: true, the action started calling core.setSecret twice for the forwarded docker passwords.
  • DriftFence flagged that change while the same checks stayed green.
Nearby controls

Two comparison cases stayed quiet

  • mask-password: false stayed conforming across the whole slice.
  • skip-logout: true stayed conforming too.
  • Both controls stayed quiet on the same selected test surface.
Method

How it was measured.

This replay fixes one login/output baseline, reruns the same selected tests on each commit, and counts the onset once because only one commit in the window drifted.

  • Replay size: 6 commits
  • Fixed workflows: mask-password: true, mask-password: false, and skip-logout: true
  • The same selected checks reran on every commit in the window
  • DriftFence reran on every commit with the same approved baseline
  • The default follow-up window contained no later merged commits for a reconciliation read
Source material

Method and source files.

The links below show the benchmark notes and pinned replay plan for this release-action example.

Measurement notes

The benchmark results log records the completed amazon-ecr-login window, including the replay size, outcome mix, and first flagged change.

Fixed test plan

The replay definition fixes the three login/output workflows and the exact August 2023 replay window used here.

Related pages

See the product, results, pricing, and trust pages alongside this release-action example.