Currently, export-env has a default value of true and is also suggested to be set as true in README.
While it is convenient to do so, it makes the secrets available as ENVs to all the later steps, including the third-party GitHub Actions. This can easily lead to leaking secrets when using malicious or vulnerable GitHub actions.
Thus, I think it should at least be mentioned in README.
Additionally, the usage of the step outputs of load-secrets-action should also be documented.
Currently,
export-env
has a default value oftrue
and is also suggested to be set astrue
in README.While it is convenient to do so, it makes the secrets available as ENVs to all the later steps, including the third-party GitHub Actions. This can easily lead to leaking secrets when using malicious or vulnerable GitHub actions.
Thus, I think it should at least be mentioned in README.
Additionally, the usage of the step outputs of
load-secrets-action
should also be documented.