Runner: add-mask doesn't work with workflow_dispatch inputs

Created on 5 Aug 2020  路  7Comments  路  Source: actions/runner

Describe the bug
Github actions workflow with inputs cannot be masked using add-mask.

To Reproduce

  1. Create workflow
name: add-mask-test
on: 
  workflow_dispatch:
    inputs:
      secret:
        description: 'secret value'
        required: true
jobs:
  my-job:
    runs-on: ubuntu-latest
    steps:
      - name: add-mask test
        run: |
          echo "::add-mask::${{ github.event.inputs.secret }}"
  1. Run workflow entering secret value "password" as input
  2. Look at workflow log and see value "password" appears twice without masking

Expected behavior
The value in add-mask does not appear at all in the workflow log output

Runner Version and Platform

Current runner version: '2.272.0'
Operating System
Ubuntu
18.04.4
LTS

What's not working?

The value in add-mask appears twice without masking

Job Log Output

add-mask test
shell: /bin/bash -e {0}
Run echo "::add-mask::password"
echo "::add-mask::password"
shell: /bin/bash -e {0}

bug

Most helpful comment

my workarround
create a shell variable from your input:

```
run: |
MY_SECRET=$(cat $GITHUB_EVENT_PATH | jq '.inputs.secret' | sed 's/"//g' )
echo "::add-mask::$MY_SECRET"

All 7 comments

I also confirm the bug.

A possible solution to this could be the workflow_dispatch inputs to be enhanced with INPUT_* environment variables as it is described in the documentation. This is also discussed in the Github Community.

Provided the env variables are automatically set, we can then use echo "::add-mask::$INPUT_MYVAR" and the actual value will not be exposed in the logs.

Seems to be related to #475.

Any updates on this? This is a major blocker for my company. We planned to use the input parameter as passphrase to decrypt files needed in the workflow that are user-specific.

My use case is slightly different but I think my workaround will work for others as well.

curl would produce output that contained secret data; but it was data i needed to parse with jq or fromJson. add-mask wouldn't work just the same as everyone else here.

my workaround was to write to a file and just read from that for future actions:

      - name: auth
        run: curl -sL "https://.../licenseKey?licenseKey=${KEY}" -o /tmp/key.json
        env:
          KEY: ${{ secrets.KEY }}

and then later steps i can just get a value from the response like so. This'll be different depending on what you're parsing and how you need to pass the data between tasks.

        run: |
          idToken=$(jq -r '.idToken' /tmp/key.json)
          do_something_with $idToken

Doing it this way kept the output clean.

my workarround
create a shell variable from your input:

```
run: |
MY_SECRET=$(cat $GITHUB_EVENT_PATH | jq '.inputs.secret' | sed 's/"//g' )
echo "::add-mask::$MY_SECRET"

my workarround

Thank you! (MY_SECRET can be shortened to jq -r '.inputs.secret' $GITHUB_EVENT_PATH)

For the record, inputs / environment variables following certain naming conventions are being masked automatically.
Please reference the detailed description and code examples in the related issue https://github.com/actions/runner/issues/475#issuecomment-742271143.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

beetlikeyg087 picture beetlikeyg087  路  6Comments

peaceiris picture peaceiris  路  4Comments

Yanjingzhu picture Yanjingzhu  路  6Comments

jl-gogovapps picture jl-gogovapps  路  4Comments

asomers picture asomers  路  5Comments