Avoiding credentials in urls on github comments

[jbuettnerbild]

Hi,

i have a website with authentication and use user credentials in the url. These credentials are posted in the github comment and i need a way to avoid this. Is there an option to disable the url output in the github comments?

Example Code:

- name: run lighthouse
    uses: foo-software/lighthouse-check-action@master
    with:
      urls: https://username:${{ secrets.USER_PASSWORD }}@private-website.com/auth&redirect=https://private-website.com
      device: 'desktop'
      outputDirectory: ${{ github.workspace }}
      commentUrl: https://api.github.com/repos/${{ github.repository }}/commits/${{ github.event.client_payload.ref }}/comments
      gitHubAccessToken: ${{ secrets.GITHUB_TOKEN }}

[adamhenson]

Hi @jbuettnerbild - I don't have a solution to your problem because the URL is really what identifies the audit in the comment. Some people have multiple URLs. If you have the option to authenticate via headers, you could set headers instead of setting in the URL.

We provide scores as an output in a workflow, so if you really want this to work, I'd recommend creating your own custom step to take the output and post to GitHub's REST API which is what we're essentially doing under the hood.