Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 2
Message 1 of 3

showing github.token(probably same as GITHUB_TOKEN) is intentional?

Solved! Go to Solution.

Hi

 

I've just started trying GitHub Actions.

I'm wondering if it's intentional that github.token(probably same as GITHUB_TOKEN) in this page is shown in log view. is it unsafe? 

 

thanks:)

 

スクリーンショット 2019-09-19 16.57.40.pngスクリーンショット 2019-09-19 17.00.00.png

 

2 Replies
Solution
GitHub Staff
Message 2 of 3

Re: showing github.token(probably same as GITHUB_TOKEN) is intentional?

Interestingly, this was not the same as secrets.GITHUB_TOKEN - your workflow is passing environment variables `token1` and `token2` but you're evaluating `TOKEN1` and `TOKEN2`.  Environment variables are case sensitive (on POSIX platforms) so they were both empty and that's why they were the same in your test.

 

But that's an aside.  This was part of a change that we made this morning to how temporary secrets are managed and renewed.  Prior to this, `github.token` and `secrets.github_token` were the same value.  With this change, we were separating them into distinct values.  In this case, we should have been masking the value of the `github.token` like we were for the `secrets.github_token`.

 

We've rolled back this change, so now the value of those two variables are the same again, which means that you should not be able to see `github.token` in any log output, it should be masked.  (But also note that any tokens that were visible in log output were time limited and have already expired.)

 

Thanks for letting us know.

Copilot Lvl 2
Message 3 of 3

Re: showing github.token(probably same as GITHUB_TOKEN) is intentional?

Thanks for replying!

 

I was mistaken that environment variables are case insensitive as I read Japanese translation (maybe a bit older than English one).

I also understood the details about `github.token`  and  `secrets.GITHUB_TOKEN`.

 

Thank you!!