How can I disable outputs with the token in them?

[red8888]

TL;DR

I'm capturing steps context info and shipping it somewhere.

I want to exclude the access_token output from this workflow is that possible?

when using this workflow the "steps" context includes this access_token field I'd like the purge from my log shipping step

Detailed design

No response

Additional information

No response

[github-actions[bot]]

Hi there @red8888 :wave:!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

What are you trying to do? Can you share your action.yml?

[red8888]

What are you trying to do? Can you share your action.yml?

I'm just dumping step output for logging/notification purposes so I need to scrub secrets out of it. I don't use this output in any of my steps so just wondering if I can disable it.

- id: 'auth'
  name: 'auth'
  uses: 'google-github-actions/auth@v0.4.0'
  with:
    token_format: 'access_token'
    workload_identity_provider: 'xxxxx'
    service_account: xxxxx

- name: a step that fails
  id: test
  run: |
    fail

- name: Ship Log Errors
  if: always() && job.status == 'failure'
  env:
    # Need to exclude the access_token output?
    STEPS_CONTEXT: ${{ toJson(steps) }}

  run: |
    command-to-ship-logs $STEPS_CONTEXT

Opened an SO post too: https://stackoverflow.com/questions/78954775/is-it-possible-to-exclude-specific-outputs-in-github-actions-contexts. Per a comment there it looks like I can use ::add-mask::{value}. Still if I can disable the output from the shared workflow directly that would be even better.

[sethvargo]

Any output that is a secret should already be scrubbed by GitHub (we call setSecret). You are using a very old version of the GitHub Action, so you may consider upgrading.