Masking or sanitizing pwsh output logs

Step

- name: 'AZ COPY'
      shell: pwsh
      run: |
        $bldNum=${{ steps.buildnumber.outputs.build_number }}
        echo "Copying upload to https://stsecureupload.blob.core.windows.net/intake/v001/${bldNum}"
        .\azcopy\azcopy cp "upload" "https://stsecureupload.blob.core.windows.net/intake/v001/${bldNum}?${{ steps.SAS_TOKEN.outputs.AZURE_STORAGE_SAS_TOKEN }}" --recursive=true --put-md5

Output result

AZ COPY 3s

Total Number of Transfers: 3
Run $bldNum=42
  $bldNum=42
  echo "Copying upload to https://stsecureupload.blob.core.windows.net/intake/v001/${bldNum}"
  .\azcopy\azcopy cp "upload" "https://stsecureupload.blob.core.windows.net/intake/v001/${bldNum}?st=2020-04-14T18%3A58%3A56Z&se=2020-04-16T18%3A58%3A56Z&sp=racwdl&spr=https&sv=2018-11-09&sr=c&skoid= **REDACTED** &sktid= **REDACTED** &skt=2020-04-14T18%3A58%3A56Z&ske=2020-04-16T18%3A58%3A56Z&sks=b&skv=2018-11-09&sig= **REDACTED**" --recursive=true --put-md5
  shell: C:\Program Files\PowerShell\7\pwsh.EXE -command ". '{0}'"
  env:
    ROOT_PATH: .
    STORAGE_ACCOUNT_NAME: stsecureupload
    CONTAINER_NAME: intake
    BUILD_NUMBER: 42
    AZURE_HTTP_USER_AGENT:
Copying upload to https://stsecureupload.blob.core.windows.net/intake/v001/42
INFO: Scanning...
INFO: Any empty folders will not be processed, because source and/or destination doesn't have full folder support

Job 0c1723cf-cf08-e544-7170-b1ce4884e076 has started
Log file is located at: C:\Users\runneradmin\.azcopy\0c1723cf-cf08-e544-7170-b1ce4884e076.log


100.0 %, 0 Done, 0 Failed, 3 Pending, 0 Skipped, 3 Total,


Job 0c1723cf-cf08-e544-7170-b1ce4884e076 summary
Elapsed Time (Minutes): 0.0334
Number of File Transfers: 3
Number of Folder Property Transfers: 0

I have tried a bunch of variations of _ echo ::add-mask: __ : _ with no luck.  

What can I do to hide sensitive data leaking?    

Thanks

Hi @ghstahl ,

Steps.outputs value will display on workflow log when it’s involved, unfortunately cannot avoid data leaking with it.

As an alternative, you can change the repo to private, or more complicated, write an action instead and execute the steps backend, only output the info not sensitive.