I created a Github workflow that runs a python script with a cron schedule. On every run of the workflow an access_token is generated, which is required during the next run.
To save the token the python script writes the token to the GITHUB_ENV file. In the next step, I use the hmanzur/[email protected] action to save the token to a Github secret. All works fine.
My only problem is, that the token gets displayed in the logs of the second step as an environment variable.
Here is a minimal version of the workflow file:
name: Tests
on:
schedule:
- cron: "0 1 * * *"
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
python: ['3.9']
steps:
- uses: actions/checkout@v1
- uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python }}
- name: Install dependencies
run: pip install -r requirements.txt
- name: Run tests
working-directory: ./src
run: python -m unittest
env:
ACCESS_TOKEN: ${{secrets.ACCESS_TOKEN}}
- uses: hmanzur/[email protected]
with:
name: 'ACCESS_TOKEN'
value: ${{env.ACCESS_TOKEN}}
repository: Me/MyRepository
token: ${{ secrets.REPO_ACCESS_TOKEN }}
I tried applying ::add-mask::. Adding echo "ACCESS_TOKEN=::add-mask::$ACCESS_TOKEN" >> $GITHUB_ENV only added ::add-mask:: to the string.
Is there a way of masking all environment variables in the GITHUB_ENV file I can apply in the first step? Can I apply the masking to the variable while writing to the GITHUB_ENV file in python? Or is there a way to disable the display of the environment variables during the workflow?
Your usage of "::add-mask::" is wrong (not your fault, I hate GHA doc).
What you need to do is:
echo "::add-mask::$ACCESS_TOKEN"
echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV