Secrets and Var #178215
-
Why are you starting this discussion?Question What GitHub Actions topic or product is this about?Misc Discussion DetailsWhen viewing GitHub Actions logs, I noticed that both the secret and variable values appear as *** when echoed. This only happens when both the variable and the secret have the same value. Is it really GitHub Actions’ behavior to mask all matching values, even if the secret itself hasn’t been explicitly referenced? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Yes , that’s expected behavior. ✅ GitHub Actions automatically masks any value in the logs that matches any configured secret, even if the secret isn’t directly referenced in the workflow. This happens because GitHub’s masking system scans all log output and replaces anything that matches secret values to prevent accidental exposure. It doesn’t check where the value came from — only if it matches a known secret. Example: In short: 🔒 GitHub masks by value, not by variable name. 🧠 It’s intentional for security — to avoid leaking secrets through indirect outputs. 🧩 To verify your workflow logic, you can temporarily change the variable’s value (to something that doesn’t match a secret) to confirm what’s happening. This is normal and part of GitHub Actions’ built-in secret protection mechanism. |
Beta Was this translation helpful? Give feedback.
-
|
I was doing this and had this same question yesterday. GIthub masks the value by default when you try to print it in your logs so it doesn't get stolen by other users. |
Beta Was this translation helpful? Give feedback.
Yes , that’s expected behavior. ✅
GitHub Actions automatically masks any value in the logs that matches any configured secret, even if the secret isn’t directly referenced in the workflow.
So if a variable or output coincidentally matches a secret’s value, it will appear as *** in the logs.
This happens because GitHub’s masking system scans all log output and replaces anything that matches secret values to prevent accidental exposure. It doesn’t check where the value came from — only if it matches a known secret.
Example:
If you have a secret MY_TOKEN=12345, and a variable or step prints 12345, it will be masked as *** — even if MY_TOKEN isn’t used anywhere in that job.
In short:
🔒 GitHub…