Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 3
Message 1 of 2

GitHub Actions - Mask non-GitHub Env/Secrets

We're looking to create a custom action to consume secrets stored in Azure Key Vault. Once consumed we would like to inject them in to the environment as secrets (similar to how GitHub Secrets are used today). These injected secrets would be consumed in later steps and discarded once the workflow has completed.

 

To date I have not found a way to populate environment variables, outside of Secrets) that can be passed on to other steps or a method to mark custom environment variables as requiring to be masked in the output. 

 

If this is possible with GitHub Actions today; can you please point me to the documentation for it? If it is not possible, can you please provide this feedback to the GitHub Actions team?

1 Reply
GitHub Staff
Message 2 of 2

Re: GitHub Actions - Mask non-GitHub Env/Secrets

The docs are in the process of being updated but you can add a value to a masker by echoing to standard out.

 

#### Mask a value in log: `add-mask`

`::add-mask::{value}`

Masking a value prevents a string or variable from being printed in the log. Each masked word separated by whitespace is replaced with the `*` character. You can use an environment variable or string for the mask's `value`.

##### Example masking a string

When you print `"Mona The Octocat"` in the log, you'll see `"***"`.

```bash
echo ::add-mask::Mona The Octocat
```

We are also working through an explicit model for actions to output secrets just like they can output standard variables https://github.com/actions/toolkit/blob/master/packages/core/src/core.ts#L48