Parameter Visibility

Is it possible to hide the information included in the with-section without putting them in secrets?

If for example, you wanted to call an Action with a webhook that supplies the credentials? Like so:

- uses: azure/docker-login@v1
    login-server: ${{toJSON(github.event.client_payload.registry_url)}}
    username: ${{toJSON(github.event.client_payload.registry_username)}}
    password: ${{toJSON(github.event.client_payload.registry_password)}}

Doing it like this prints the sensitive information to the publicly-visible logs.

Is it possible to avoid/prevent the with-parameters from being logged?
Or, is it possible to hide what they print, like putting the information into a secret would?

I’m wondering if it’s possible that an Action would be in a public repository and public users(without permissions/roles in the repo) could use it to build and deploy the repo to their own, private, Docker registries, with the public users providing the own credentials in the webhook.

Haven’t tried this myself, but might do what you want.

echo "::add-mask::$MY_ENV_SECRET"

@gisligeorgs ,

Looks like your workflow (suppose named wf2 ) is set to run on the repository_dispatch event which is triggered via create a repository dispatch event generally in another workflow (suppose named wf1 ).

To prevent your sensitive information from being printed in the logs, I recommend you set theses sensitive information as secrets in your repository.
Maybe you can try the below steps:

  1. In the workflow wf1 , before executing the API to create the repository dispatch event, you can add a step to execute the API Create or update a secret for a repository to add your sensitive information as secrets in the repository where the workflow wf2 is in, instead of explicitly passing the sensitive information via the client_payload object.

  2. Then in the workflow wf2 , you can pass the secrets as parameters of the with option.

    • uses: azure/docker-login@v1
      login-server: ${{ secrets.registry_url }}
      username: ${{ secrets.registry_username }}
      password: ${{ secrets.registry_password }}