secrets logged in workflow logs if ${{ toJSON(secrets) }} is used

qetza / replacetokens-action

An action to replace tokens in text files with variables and/or secrets.

MIT License

3 stars 1 forks source link

secrets logged in workflow logs if ${{ toJSON(secrets) }} is used #20

Closed danstis closed 1 month ago

danstis commented 1 month ago

When I use this step with the example:

- name: Replace tokens
  uses: qetza/replacetokens-action@v1
  id: replacetokens
  with:
    sources: ~/somefile.yml
    variables: '[${{ toJSON(vars) }},${{ toJSON(secrets) }}]'
    if-no-files-found: 'error'
    recursive: 'true'

The logs of the action include all of the secrets in an unredacted form in my GitHub Environment:

There should be a way to pass in secrets without being logged into the output of the workflow.

danstis commented 1 month ago

Ignore me, I had them saved as variables not secrets... 😳