Currently, export-env has a default value of true and is also suggested to be set as true in README.
While it is convenient to do so, it makes the secrets available as ENVs to all the later steps, including the third-party GitHub Actions. This can easily lead to leaking secrets when using malicious or vulnerable GitHub actions.
Thus, I think it should at least be mentioned in README.
Additionally, the usage of the step outputs of load-secrets-action should also be documented.
Currently,
export-envhas a default value oftrueand is also suggested to be set astruein README.While it is convenient to do so, it makes the secrets available as ENVs to all the later steps, including the third-party GitHub Actions. This can easily lead to leaking secrets when using malicious or vulnerable GitHub actions.
Thus, I think it should at least be mentioned in README.
Additionally, the usage of the step outputs of
load-secrets-actionshould also be documented.