Does add-mask work at all?

From what I can tell, the add-mask command doesn’t work at all. If I do: 

- run: echo "::add-mask::${{ steps.mystep.outputs.myvalue }}"

In the output I still see:

echo "::add-mask::my value that I totally don't want to expose"

The same thing happens if I use an environment variable: the variable is expanded in the log. Later instances of the sensitive data are definitely translated to the *** value, but the sensitive data is still in the log from when the add-mask command was executed.

If the add-mask command itself exposes the secret, what’s the point?

Hi @zebraflesh ,

The add-mask command itself will expose the value in the log for the first time.

All i think of it is to put it in script, for example, create a ‘test.sh’ with below code:

echo "::add-mask::teststring"

And in the workflow yaml:

- name: set mask
        run: |
         sh test.sh
      - name: echo string
        run: |
          echo teststring

In workflow log, it will display as ‘*’.

mask.png

Thanks.

How would you do this if you needed to hide something in the github context like this ${{ steps.mystep.outputs.myvalue }} ?

The mask needs to be added before the output is registered.

Otherwise at the time when the inputs are evaluated for the next step, the value is not yet registered as a secret. It doesn’t get registered until the next step executes. When the step inputs are logged, it hasn’t yet been registered as a secret.

Issue also logged here: https://github.com/actions/runner/issues/475