Open
Description
What happened?
Consider the following Actions config:
- name: Generate Actions Runner token
uses: octokit/[email protected]
id: generate-actions-runner-token
with:
route: POST /repos/{owner}/{repo}/actions/runners/registration-token
owner: ${{ env.ACTIONS_RUNNER_ORG }}
repo: ${{ env.ACTIONS_RUNNER_REPO }}
env:
GITHUB_TOKEN: ${{ secrets.GH_API_PAT }}
- name: Set and mask Actions Runner token for next steps
run: |
# We need to mask the token first before setting it to an env variable
echo "::add-mask::${{ fromJson(steps.generate-actions-runner-token.outputs.data).token }}"
ACTIONS_RUNNER_TOKEN=${{ fromJson(steps.generate-actions-runner-token.outputs.data).token }}
echo ACTIONS_RUNNER_TOKEN=$ACTIONS_RUNNER_TOKEN >> $GITHUB_ENV
This actually exposes the token to the CI logs, as also reported in this issue: actions/runner#475
You might want to add a warning about this to the README of this action or find another solution to hide this sensitive data. Thanks!
Versions
octokit/[email protected]
Relevant log output
See aboveCode of Conduct
- I agree to follow this project's Code of Conduct
Metadata
Metadata
Assignees
Labels
Type
Projects
Status