openmrs / openmrs-core

65%

master: 65%

LAST BUILD ON BRANCH 2.7.x

branch: SELECT

CHANGE BRANCH

x

• No branch selected
• 2.1.x
• 2.4.x
• 2.5.x
• 2.6.x
• 2.7.x
• 2.7.x-update-to-2.7.7-SNAPSHOT
• 2.7.x0-TRUNK-6414-revert
• 2.8.x
• 2.8.x-TRUNK-6475
• 2.9.x
• Location-2.9.x
• TRUNK-6292-2.6.x
• TRUNK-6308
• TRUNK-6356-reference-ranges
• TRUNK-6414-2-2.7.x
• TRUNK-6414-2.8.x
• TRUNK-6423
• TRUNK-6423-2.8.x
• TRUNK-6435
• TRUNK-6448-2.7.x
• TRUNK-6448-2.8.x
• TRUNK-6449
• TRUNK-6451
• TRUNK-6456
• TRUNK-6457
• TRUNK-6463
• TRUNK-6464-2.8.x-2
• TRUNK-6472-2.8.x
• TRUNK-6474
• TRUNK-6490
• TRUNK-6505
• TRUNK-6528
• TRUNK-6569
• TRUNK-6571
• TRUNK-6596
• TRUNK-6615
• TRUNK-6615-2.9.x
• TRUNk-6414-2.7x
• gracepotma-patch-1-dpga-badge
• master
• revert-4964-dependabot-maven-org.eclipse.jetty-jetty-maven-plugin-11.0.25

Build # 26342103616

Build Type

push

github

Committed by web-flow

Commit Message

Backport: stop echoing properties to stdout + fix openmrs-extra typo (2.7.x) (#6120)

* Stop echoing openmrs-server.properties to stdout on startup (#6115)

The merged runtime/server properties file contains DB credentials plus
any property supplied via OMRS_EXTRA_* / OMRS_CONFIG_PROPERTY_* env vars
(API keys, bearer tokens, OAuth secrets, ...). When the container's
stdout is captured by a log sink (Docker, GitHub Actions, ELK, Loki),
those values are exposed in plaintext.

This was recently observed: a downstream module's OpenRouter API key,
supplied as OMRS_CONFIG_PROPERTY_CHARTSEARCHAI_LLM_REMOTE_APIKEY,
ended up in a public GitHub Actions log because the container's
stdout was captured.

Nothing consumes this stdout — startup.sh sources startup-init.sh and
the Java app reads the file from disk via -DOPENMRS_INSTALLATION_SCRIPT.
The cat was added in TRUNK-6184 as a diagnostic alongside OMRS_EXTRA_
support, not as an interface. Operators who need to inspect the
rendered file can read it directly from $OMRS_HOME inside the container.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Fix typo in openmrs-extra.properties.tmp path

The line that appends a trailing newline to the merged extras tmp file
referenced `openmrs-exta.properties.tmp` (missing 'r') instead of
`openmrs-extra.properties.tmp`. At every Docker container startup this
created a stray empty file `openmrs-exta.properties.tmp` in the working
directory and the intended trailing newline was never appended to the
real tmp file. In practice the downstream concatenation onto
$OMRS_SERVER_PROPERTIES_FILE was unaffected because each line is already
terminated with \n by `echo -e`, but the typo'd file name was clearly
unintended.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Coverage Stats

23602 of 36207 relevant lines covered (65.19%)

0.65 hits per line