Secrets exposed in some action output

[grahamalama]

Contributing guidelines

• [X] I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• [X] The documentation does not mention anything about my problem
• [X] There are no open or closed issues that are related to my problem

Description

Despite secrets being masked in what's provided as input to this action, those same secrets are exposed in some of the output of the action.

Expected behaviour

When I set a repo secret and use the secret in the action, it is masked throughout whatever output the action emits.

Secrets are masked in "Processing images input 👍🏻

Actual behaviour

The secrets are masked in the inputs and in some output, but they are not masked in all of the output, e.g.

Workflow run URL

https://github.com/grahamalama/remote-settings/actions/runs/6707922537/job/18227548671

YAML workflow

- name: Docker metadata
        id: docker-metadata
        uses: docker/metadata-action@v5
        with:
          images: |
            mozilla/remote-settings
            ${{ secrets.GAR_LOCATION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/${{ secrets.GAR_REPOSITORY }}/remote-settings
          tags: |
            type=raw,value=${{ env.LATEST_TAG }}
            type=raw,value=latest

[crazy-max]

The secrets are masked in the inputs and in some output, but they are not masked in all of the output, e.g.

This is not something we are doing on our side to hide secrets. This is part of the actions runner runtime. Suggest to open an issue on https://github.com/actions/runner, this might be a bug with their secret masker logic.