showing github.token(probably same as GITHUB_TOKEN) is intentional?


I’ve just started trying GitHub Actions.

I’m wondering if it’s intentional that github.token(probably same as GITHUB_TOKEN) in this page is shown in log view. is it unsafe? 


スクリーンショット 2019-09-19 16.57.40.png スクリーンショット 2019-09-19 17.00.00.png

1 Like

Interestingly, this was not the same as secrets.GITHUB_TOKEN - your workflow is passing environment variables token1 and token2 but you’re evaluating TOKEN1 and TOKEN2.  Environment variables are case sensitive (on POSIX platforms) so they were both empty and that’s why they were the same in your test.

But that’s an aside.  This was part of a change that we made this morning to how temporary secrets are managed and renewed.  Prior to this, github.token and secrets.github_token were the same value.  With this change, we were separating them into distinct values.  In this case, we should have been masking the value of the github.token like we were for the secrets.github_token.

We’ve rolled back this change, so now the value of those two variables are the same again, which means that you should not be able to see github.token in any log output, it should be masked.  (But also note that any tokens that were visible in log output were time limited and have already expired.)

Thanks for letting us know.

1 Like

Thanks for replying!

I was mistaken that environment variables are case insensitive as I read Japanese translation (maybe a bit older than English one).

I also understood the details about github.token  and  secrets.GITHUB_TOKEN.

Thank you!!