-
Hi I’ve just started trying GitHub Actions. I’m wondering if it’s intentional that github.token(probably same as GITHUB_TOKEN) in this page is shown in log view. is it unsafe? thanks:) |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Interestingly, this was not the same as secrets.GITHUB_TOKEN - your workflow is passing environment variables But that’s an aside. This was part of a change that we made this morning to how temporary secrets are managed and renewed. Prior to this, We’ve rolled back this change, so now the value of those two variables are the same again, which means that you should not be able to see Thanks for letting us know. |
Beta Was this translation helpful? Give feedback.
-
Thanks for replying! I was mistaken that environment variables are case insensitive as I read Japanese translation (maybe a bit older than English one). I also understood the details about Thank you!! |
Beta Was this translation helpful? Give feedback.
Interestingly, this was not the same as secrets.GITHUB_TOKEN - your workflow is passing environment variables
token1
andtoken2
but you’re evaluatingTOKEN1
andTOKEN2
. Environment variables are case sensitive (on POSIX platforms) so they were both empty and that’s why they were the same in your test.But that’s an aside. This was part of a change that we made this morning to how temporary secrets are managed and renewed. Prior to this,
github.token
andsecrets.github_token
were the same value. With this change, we were separating them into distinct values. In this case, we should have been masking the value of thegithub.token
like we were for thesecrets.github_token
.We’ve rolled …