token is revealed in logs

[foolip]

https://github.com/foolip/reffy/runs/205394056 ran with the workflow in https://github.com/foolip/reffy/blob/github-actions-checkout-bug-report/.github/workflows/push.yml, using this step:

    - name: checkout reffy-reports
      uses: actions/checkout@master
      with:
        repository: foolip/reffy-reports
        token: ${{ secrets.REFFY_REPORTS_TOKEN }}
        path: reffy-reports

REFFY_REPORTS_TOKEN was 7fdfbdbaed8a5bb8f6198d988de3348097a41a37 (since regenerated) and the following appears in the logs:

git remote add origin https://github.com/foolip/reffy-reports
git config gc.auto 0
git config --get-all http.https://github.com/foolip/reffy-reports.extraheader
git config --get-all http.proxy
git -c http.extraheader="AUTHORIZATION: basic eC1hY2Nlc3MtdG9rZW46N2ZkZmJkYmFlZDhhNWJiOGY2MTk4ZDk4OGRlMzM0ODA5N2E0MWEzNw==" fetch --tags --prune --progress --no-recurse-submodules origin +refs/heads/:refs/remotes/origin/

The eC1hY2Nlc3MtdG9rZW46N2ZkZmJkYmFlZDhhNWJiOGY2MTk4ZDk4OGRlMzM0ODA5N2E0MWEzNw== bit is x-access-token:7fdfbdbaed8a5bb8f6198d988de3348097a41a37 base64-encoded.

In other words, the secret is revealed in the logs.

[bryanmacfarlane]

Thank you for reporting! A fix is in progress and will roll out soon.

Note that you don't have to generate a PAT and pass to checkout. The system will generate (a time bombed) token that will just work.

[foolip]

The reason I added a token is that I wanted to push to another repo. I presume the generated token will only have write access to the repo the action is running on?

[TingluoHuang]

Yes, it is, the GITHUB_TOKEN is for your action's running repo.

[bryanmacfarlane]

Fix is rolled out. I'm going to close but please let us know if you see any issues.

[foolip]

Thanks for this quick fix!