From 11dc90faa23d2abe7921a9e70b8d7289e5b614bf Mon Sep 17 00:00:00 2001
From: John Redwood <john.r.k.redwood@gmail.com>
Date: Thu, 26 Jun 2025 17:44:41 +1000
Subject: [PATCH] fix: full contrib for report and length of audit

Signed-off-by: John Redwood <john.r.k.redwood@gmail.com>
---
 .changeset/three-mammals-move.md              |  5 +++
 app-config.yaml                               |  2 ++
 plugins/scaffolder-backend/report.api.md      |  3 ++
 .../src/scaffolder/tasks/TaskWorker.ts        | 32 ++++++++++++++++++-
 .../scaffolder-backend/src/service/router.ts  |  1 +
 5 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/three-mammals-move.md

diff --git a/.changeset/three-mammals-move.md b/.changeset/three-mammals-move.md
new file mode 100644
index 0000000000..646e60f84c
--- /dev/null
+++ b/.changeset/three-mammals-move.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-scaffolder-backend': minor
+---
+
+Implement max length for scaffolder auditor audit logging with default of 256
diff --git a/app-config.yaml b/app-config.yaml
index 910a3e4f99..d0189595e4 100644
--- a/app-config.yaml
+++ b/app-config.yaml
@@ -200,6 +200,8 @@ catalog:
         - allow: [Template]
 
 scaffolder:
+  auditor:
+    maxLength: 256
   # Use to customize default commit author info used when new components are created
   defaultAuthor:
     name: Scaffolder
diff --git a/plugins/scaffolder-backend/report.api.md b/plugins/scaffolder-backend/report.api.md
index 7ece0f84ea..debc9ac60a 100644
--- a/plugins/scaffolder-backend/report.api.md
+++ b/plugins/scaffolder-backend/report.api.md
@@ -273,6 +273,7 @@ export type CreateWorkerOptions = {
   workingDirectory: string;
   logger: LoggerService;
   auditor?: AuditorService;
+  config?: Config;
   additionalTemplateFilters?: Record<string, TemplateFilter>;
   concurrentTasksLimit?: number;
   additionalTemplateGlobals?: Record<string, TemplateGlobal>;
@@ -601,6 +602,8 @@ export class TaskWorker {
   start(): void;
   // (undocumented)
   stop(): Promise<void>;
+  // (undocumented)
+  protected truncateParameters(parameters: JsonObject): JsonObject;
 }
 
 // @public @deprecated
diff --git a/plugins/scaffolder-backend/src/scaffolder/tasks/TaskWorker.ts b/plugins/scaffolder-backend/src/scaffolder/tasks/TaskWorker.ts
index b0c3166ff6..221121b176 100644
--- a/plugins/scaffolder-backend/src/scaffolder/tasks/TaskWorker.ts
+++ b/plugins/scaffolder-backend/src/scaffolder/tasks/TaskWorker.ts
@@ -29,6 +29,8 @@ import { TemplateActionRegistry } from '../actions';
 import { NunjucksWorkflowRunner } from './NunjucksWorkflowRunner';
 import { WorkflowRunner } from './types';
 import { setTimeout } from 'timers/promises';
+import { JsonObject } from '@backstage/types';
+import { Config } from '@backstage/config';
 
 /**
  * TaskWorkerOptions
@@ -44,6 +46,7 @@ export type TaskWorkerOptions = {
   permissions?: PermissionEvaluator;
   logger?: LoggerService;
   auditor?: AuditorService;
+  config?: Config;
   gracefulShutdown?: boolean;
 };
 
@@ -59,6 +62,7 @@ export type CreateWorkerOptions = {
   workingDirectory: string;
   logger: LoggerService;
   auditor?: AuditorService;
+  config?: Config;
   additionalTemplateFilters?: Record<string, TemplateFilter>;
   /**
    * The number of tasks that can be executed at the same time by the worker
@@ -87,12 +91,14 @@ export class TaskWorker {
   private taskQueue: PQueue;
   private logger: LoggerService | undefined;
   private auditor: AuditorService | undefined;
+  private config: Config | undefined;
   private stopWorkers: boolean;
 
   private constructor(private readonly options: TaskWorkerOptions) {
     this.stopWorkers = false;
     this.logger = options.logger;
     this.auditor = options.auditor;
+    this.config = options.config;
     this.taskQueue = new PQueue({
       concurrency: options.concurrentTasksLimit,
     });
@@ -103,6 +109,7 @@ export class TaskWorker {
       taskBroker,
       logger,
       auditor,
+      config,
       actionRegistry,
       integrations,
       workingDirectory,
@@ -130,6 +137,7 @@ export class TaskWorker {
       concurrentTasksLimit,
       permissions,
       auditor,
+      config,
       gracefulShutdown,
     });
   }
@@ -182,6 +190,28 @@ export class TaskWorker {
     });
   }
 
+  protected truncateParameters(parameters: JsonObject) {
+    const auditMaxLength =
+      this.config?.getOptionalNumber('scaffolder.auditor.maxLength') ?? 256;
+    const truncatedParameters: JsonObject = {};
+
+    for (const key in parameters) {
+      if (Object.prototype.hasOwnProperty.call(parameters, key)) {
+        const rawValue = parameters[key];
+        const value = rawValue?.toString();
+        if (value && value.length > auditMaxLength) {
+          truncatedParameters[key] = value
+            .slice(0, auditMaxLength)
+            .concat('...<truncated>');
+        } else {
+          truncatedParameters[key] = rawValue;
+        }
+      }
+    }
+
+    return truncatedParameters;
+  }
+
   async runOneTask(task: TaskContext) {
     const auditorEvent = await this.auditor?.createEvent({
       eventId: 'task',
@@ -189,7 +219,7 @@ export class TaskWorker {
       meta: {
         actionType: 'execution',
         taskId: task.taskId,
-        taskParameters: task.spec.parameters,
+        taskParameters: this.truncateParameters(task.spec.parameters),
         templateRef: task.spec.templateInfo?.entityRef,
       },
     });
diff --git a/plugins/scaffolder-backend/src/service/router.ts b/plugins/scaffolder-backend/src/service/router.ts
index 0ea6293f36..64e7dcb4b4 100644
--- a/plugins/scaffolder-backend/src/service/router.ts
+++ b/plugins/scaffolder-backend/src/service/router.ts
@@ -271,6 +271,7 @@ export async function createRouter(
       integrations,
       logger,
       auditor,
+      config,
       workingDirectory,
       concurrentTasksLimit,
       permissions,