Last active
January 30, 2022 14:20
-
-
Save yogonza524/d13d0a037a4921de275663eb7ed096c0 to your computer and use it in GitHub Desktop.
Run at begin of Job execution to avoid show any secret at any step
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Mask secrets | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| Mask Secrets: | |
| name: Mask secrets at job | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Mask | |
| env: | |
| SECRETS: ${{ toJson(secrets) }} | |
| run: echo $SECRETS | jq -r '. | values[]' | while IFS= read -r value; do echo "::add-mask::$value"; done | |
| - name: Use your secret | |
| run: | | |
| echo "Github Repo Secret -> FOO=value" | |
| echo "I'm using a secret value from Github Repo Secrets" | |
| # Output: I'm using a secret *** from Github Repo Secrets |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have been asked: What happens when a secret, for example with value 1, appears in other places in the logs and it is necessary to see them? Would I see logs that say ***?
Short answer: yes.
I rephrase the question: Do you keep secrets with such short length values? Do we understand what a safe secret is?
Why do you decide to store secrets with such insecure values? Wouldn't it be more efficient to inject public environment variables instead of secret ones in these cases?