Skip to content

Added warning to documentation. #37411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Added warning to documentation. #37411

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions ...kflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,7 @@ Write-Output "::add-mask::Mona The Octocat"

> [!WARNING]
> Make sure you register the secret with 'add-mask' before outputting it in the build logs or using it in any other workflow commands.
> This will still leak the string initialy as part of the echo statment.
Copy link
Contributor

@jsoref jsoref Apr 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the very least:

Suggested change
> This will still leak the string initialy as part of the echo statment.
> This will still leak the string initially as part of the echo statement.


### Example: Masking an environment variable

Expand Down Expand Up @@ -324,6 +325,9 @@ jobs:

{% endpowershell %}

> [!WARNING]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the gist is correct that you can't actually use an env: block to set an unmasked secret and thus this section should be changed to just say as much:

Important

Values set via an env: block in a workflow will be logged. Trying to mask in the step would be too late.
Masking would have to be done beforehand or by providing a file with the data and then reading the value, masking, and setting the variable locally within the shell context.

> This will still leak the string as part of the env.

### Example: Masking a generated output within a single job

If you do not need to pass your secret from one job to another job, you can:
Expand Down
Loading