Interestingly, this was not the same as secrets.GITHUB_TOKEN - your workflow is passing environment variables `token1` and `token2` but you're evaluating `TOKEN1` and `TOKEN2`. Environment variables are case sensitive (on POSIX platforms) so they were both empty and that's why they were the same in your test.
But that's an aside. This was part of a change that we made this morning to how temporary secrets are managed and renewed. Prior to this, `github.token` and `secrets.github_token` were the same value. With this change, we were separating them into distinct values. In this case, we should have been masking the value of the `github.token` like we were for the `secrets.github_token`.
We've rolled back this change, so now the value of those two variables are the same again, which means that you should not be able to see `github.token` in any log output, it should be masked. (But also note that any tokens that were visible in log output were time limited and have already expired.)
Thanks for letting us know.
Thanks for replying!
I was mistaken that environment variables are case insensitive as I read Japanese translation (maybe a bit older than English one).
I also understood the details about `github.token` and `secrets.GITHUB_TOKEN`.