GitHub Actions - Mask non-GitHub Env/Secrets

We’re looking to create a custom action to consume secrets stored in Azure Key Vault. Once consumed we would like to inject them in to the environment as secrets (similar to how GitHub Secrets are used today). These injected secrets would be consumed in later steps and discarded once the workflow has completed.

To date I have not found a way to populate environment variables, outside of Secrets) that can be passed on to other steps or a method to mark custom environment variables as requiring to be masked in the output. 

If this is possible with GitHub Actions today; can you please point me to the documentation for it? If it is not possible, can you please provide this feedback to the GitHub Actions team?


The docs are in the process of being updated but you can add a value to a masker by echoing to standard out.

Mask a value in log: add-mask


Masking a value prevents a string or variable from being printed in the log. Each masked word separated by whitespace is replaced with the * character. You can use an environment variable or string for the mask’s value.

Example masking a string

When you print "Mona The Octocat" in the log, you’ll see "***".

echo ::add-mask::Mona The Octocat  

We are also working through an explicit model for actions to output secrets just like they can output standard variables


This is really good when it i inside a step. But if I defie environment varables at job level, how can I mask those without repeatedly, call ‘::add-mask::[value]’ in each step where they are used?