From 454ad4798cc2161cc8b62e0d40e146e6a0859432 Mon Sep 17 00:00:00 2001
From: Tobias Wilfert <36408720+tobias-wilfert@users.noreply.github.com>
Date: Tue, 8 Apr 2025 15:20:26 +0200
Subject: [PATCH] Added warning to documentation.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These strings leaking has been a known issue since at least 5 years (See github issue: https://github.com/actions/runner/issues/475) regardless of whether or not this will ever be fixed the least that can be done is give the user a heads up that these 2 use cases will not mask the values. (Removing the 2 sections in their entirety might also be an option 🤔).
---
 .../workflow-commands-for-github-actions.md                   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/content/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md b/content/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md
index 470b100ee532..c1039c772e01 100644
--- a/content/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md
+++ b/content/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md
@@ -289,6 +289,7 @@ Write-Output "::add-mask::Mona The Octocat"
 
 > [!WARNING]
 > Make sure you register the secret with 'add-mask' before outputting it in the build logs or using it in any other workflow commands.
+> This will still leak the string initialy as part of the echo statment.
 
 ### Example: Masking an environment variable
 
@@ -324,6 +325,9 @@ jobs:
 
 {% endpowershell %}
 
+> [!WARNING]
+> This will still leak the string as part of the env.
+
 ### Example: Masking a generated output within a single job
 
 If you do not need to pass your secret from one job to another job, you can: