Allow unmasking `aws-region` in log output

[shtrom]

Describe the feature

It would be good for the aws-region not not be masked in the log output of actions. Either by default, or via a configurable option.

Use Case

The aws-region is part of URLs, such as CloudWatch logs. When such a URL is dumped in the logs of a GitHub action, the aws-region value is masked with ***. This makes the URL invalid, and adds friction when deeper investigation by perusal of the log is needed.

Proposed Solution

A similar feature as mask-aws-account-id would be good, to allow unmasking the aws-region in log output when set to

mask-aws-region: no

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

[tim-finnigan]

Thanks for the feature request - this has come up before: #494.

Per that issue:

Got my solution if we don't want your aws region to get masked please don't use it as a secret like {{secrets.AWS_REGION}} simply hard code it in our workflow commands.

Does that solution work for you @shtrom? I saw another issue related to this (#368), but there were issues with reproducing it.

[amlearn]

Thanks @tim-finnigan

While we weren't pulling the value from GitHub secrets, we had a similar mechanism to pull values from configuration files and inject them as environment variables.

Some values were masked, but the ones needed visible weren't.

BUT, because masking happens by value, and not by variable, any variable that shares a value or part of a value that has been masked also gets masked.

Thanks for your comment! It inspired a very practical facepalm moment 👍

[amlearn]

(I'm a colleague of @shtrom btw - we've now got the visibility of aws-region solved 👍 )