Describe the bug
Github actions workflow with inputs cannot be masked using add-mask.
To Reproduce
name: add-mask-test
on:
workflow_dispatch:
inputs:
secret:
description: 'secret value'
required: true
jobs:
my-job:
runs-on: ubuntu-latest
steps:
- name: add-mask test
run: |
echo "::add-mask::${{ github.event.inputs.secret }}"
Expected behavior
The value in add-mask does not appear at all in the workflow log output
Current runner version: '2.272.0'
Operating System
Ubuntu
18.04.4
LTS
The value in add-mask appears twice without masking
add-mask test
shell: /bin/bash -e {0}
Run echo "::add-mask::password"
echo "::add-mask::password"
shell: /bin/bash -e {0}
I also confirm the bug.
A possible solution to this could be the workflow_dispatch inputs to be enhanced with INPUT_* environment variables as it is described in the documentation. This is also discussed in the Github Community.
Provided the env variables are automatically set, we can then use echo "::add-mask::$INPUT_MYVAR" and the actual value will not be exposed in the logs.
Seems to be related to #475.
Any updates on this? This is a major blocker for my company. We planned to use the input parameter as passphrase to decrypt files needed in the workflow that are user-specific.
My use case is slightly different but I think my workaround will work for others as well.
curl would produce output that contained secret data; but it was data i needed to parse with jq or fromJson. add-mask wouldn't work just the same as everyone else here.
my workaround was to write to a file and just read from that for future actions:
- name: auth
run: curl -sL "https://.../licenseKey?licenseKey=${KEY}" -o /tmp/key.json
env:
KEY: ${{ secrets.KEY }}
and then later steps i can just get a value from the response like so. This'll be different depending on what you're parsing and how you need to pass the data between tasks.
run: |
idToken=$(jq -r '.idToken' /tmp/key.json)
do_something_with $idToken
Doing it this way kept the output clean.
my workarround
create a shell variable from your input:
```
run: |
MY_SECRET=$(cat $GITHUB_EVENT_PATH | jq '.inputs.secret' | sed 's/"//g' )
echo "::add-mask::$MY_SECRET"
my workarround
Thank you! (MY_SECRET can be shortened to jq -r '.inputs.secret' $GITHUB_EVENT_PATH)
For the record, inputs / environment variables following certain naming conventions are being masked automatically.
Please reference the detailed description and code examples in the related issue https://github.com/actions/runner/issues/475#issuecomment-742271143.
Most helpful comment
my workarround
create a shell variable from your input:
```
run: |
MY_SECRET=$(cat $GITHUB_EVENT_PATH | jq '.inputs.secret' | sed 's/"//g' )
echo "::add-mask::$MY_SECRET"