Complete github context: best way to see it?

All,

I know that the github context is quite powerful and so I’m wondering if the complete “API” exists anywhere? (For example, from that page you wouldn’t know github.event.repository.name exists because it only talks up to github.event.)

I did see the bits in the doc about toJSON'ing the context in a workflow, but the warning on that link:

Warning: When using the whole github context, be mindful that it includes sensitive information such as github.token. GitHub masks secrets when they are printed to the console, but you should be cautious when exporting or printing the context.

sort of frightens me as someone who once accidentally exposed a key on GitHub and found out the speed and power of hackers monitoring GitHub! Is this a fairly safe way to see the full context? Or maybe there’s a way to use action-tmate to do it in a safe way?

If your repository is private to only you, the toJSON should be reasonably safe.

I wouldn’t do it otherwise if I were you. – Having had a white hat actually find a valid exploit against one of my workflows.

Yeah. I figured. I did this on a throwaway and I got what I needed for my task!

1 Like