GitHub Actions mask dynamic secrets

Blog Edit

This post goes over how to mask dynamic secrets in GitHub Actions.

Problem

Let’s say you have the steps in your workflow:

- name: Get secret
  run: |
    SECRET=$(cat password.txt)
    echo "secret=$SECRET" >> $GITHUB_OUTPUT
  id: secret

- name: Use secret
  run: echo "do something with $SECRET"
  env:
    SECRET: ${{ steps.secret.outputs.secret }}

How do you prevent your secret from being logged?

Solution

The answer is to mask your secret with ::add-mask:::

 - name: Get secret
   run: |
     SECRET=$(cat password.txt)
+    echo "::add-mask::$SECRET"
     echo "secret=$SECRET" >> $GITHUB_OUTPUT
   id: secret

Now when you check your logs, the secret will be replaced with ***.


Please support this site and join our Discord!