Is it safe to use a workflow command to set a secret as an ENV variable

Hello, I am currently trying to set ENV variables to be certain secrets depending on the github branch invoking the action.

I have something like this:

if: endsWith(github.ref, '/master')
       run: | 
         echo "AWS_S3_BUCKET=${{ secrets.PROD_SECRET_EXMAPLE }}" >> $GITHUB_ENV

While it achieves my desired results and it does apear to be scrubbing the secret from the logs, I’m worried that this may be too risky? Was hoping to get some other opinions on the matter.

This is the proper way to set an environment variable for the rest of the job. That environment variable is then available to all following steps in the job, which might have security implications.

Whether there are more secure alternatives depends on how you need to use the secret value. In general it’s preferable to provide a secret only to the step(s) that need it instead of the rest of the job, whether as an input (with for a uses step) or through jobs.<job_id>.steps[*].env.

1 Like