Way to unmask variables in workflow logs


Today I was trying to debug an issue in my workflow, and was having a hard time because GitHub Actions not only masks secrets, but it seems also all kinds of envrionment variables I set in my workflow, and even the logs outputted by my application!

For example, I was getting a “connection refused” error to an application that I was spin up to do acceptance testing.
I eventually found out in the application logs, that it was given an error that the database didnt exist.

So the first thing I tried was to see if the database env var was being set correctly. I couldnt find out as even I printed the value directly in my application, it was masked. Heck, I even tried to base64 it, still masked.

With luck, I found out that I was not creating the database in my Postgres service, becuase I had a wrong env variable name.

After solving this problem, my application was up, but still receiving connection refused.

Let´s do a docker ps to see if I am exposing the correct ports. Impossible, the ports are masked!

Here is an example log:

Run docker run --name="***" -d --network "github_network_970def570bed417ea74e7d9ddff7e9e3" -p ***:*** --env-file=.env.*** $TEST_IMAGE_NAME
  docker run --name="***" -d --network "github_network_970def570bed417ea74e7d9ddff7e9e3" -p ***:*** --env-file=.env.*** $TEST_IMAGE_NAME
  sleep 5
  docker ps -a
  shell: /bin/bash -e {0}
    TEST_IMAGE_NAME: go-api-sample:1f76c707716cb4bdc6def533f80d4f36a1c3fcce
    GO_VERSION: 1.15
    GO111MODULE: on
    APP_ENV: ***
    APP_PORT: ***
    DB_HOST: ***
    DB_PORT: ***
    DB_USER: ***
    DB_DATABASE: ***
    DB_PASSWORD: ***
    GOROOT: /opt/hostedtoolcache/go/1.15.3/x64
CONTAINER ID        IMAGE                                                    COMMAND                  CREATED             STATUS                    PORTS                    NAMES
b7d33f82eb8e        go-api-sample:1f76c707716cb4bdc6def533f80d4f36a1c3fcce   "/bin/***"               12 seconds ago      Up 5 seconds    ***->***/tcp   ***
278d9fb8eab9        ***:12                                              "docker-entrypoint.s…"   48 seconds ago      Up 42 seconds (healthy)***->***/tcp   dae7490f3e864a56b4cf6ed223f088bf_***12_faf1ed

How I am suppose to do any useful debug with this?

Is there anyway to change this behavior? I unserstand masking the secrets, but things like docker ports, or my own application logs / variables doenst make much sense and makes impossible to debug anything.

Thank you.

As far as I know there isn’t a way to disable masking. As a workaround, you could try writing debug information to a file and uploading that as an artifact, just make sure not to write anything that’s actually secret.

Normally, if the value of an environment variable is contained in (or equal to) the value of a secrets used in the same workflow, the value of the environment variable also will be masked in the logs.

If you do not need the value to be masked, you can try to not use the related secrets or remove the secrets from the repository.