Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent potential token log #58

Closed
arothian opened this issue Jan 19, 2021 · 1 comment
Closed

Prevent potential token log #58

arothian opened this issue Jan 19, 2021 · 1 comment

Comments

@arothian
Copy link

While Github Actions will try to redact secrets printed to logs, I think it would be best if the debug logging in this action didn't include the GH token configured.

https://github.com/peter-evans/repository-dispatch/blob/master/src/main.ts#L13

https://docs.github.com/en/actions/reference/encrypted-secrets

Warning: GitHub automatically redacts secrets printed to the log, but you should avoid printing secrets to the log intentionally.
@peter-evans
Copy link
Owner

Hi @arothian

Thanks for pointing this out but I'm not too concerned about this because by default the GitHub Actions runner doesn't print debug lines anyway. You have to explicitly enable it by setting the secret ACTIONS_STEP_DEBUG to true in the repository where the workflow is running. Anyone who is extra cautious can just not enable that debug output.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arothian @peter-evans