search

helaili / github-oidc-auth

Retrieve a GitHub scoped token from the github-oidc-auth-app so you can access 3rd party ressources from GitHub Actions with no secret and no PAT
MIT License
4 stars 0 forks source link

Returned token should be declared secret #2

Open segiddins opened 2 months ago

segiddins commented 2 months ago

Before setting the output and env var, the token should be marked as a secret to avoid leaking it in output

salekseev commented 2 months ago

I believe GitHub Actions mask tokens automatically in logs per https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#redacting-secrets-from-workflow-run-logs