Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

add-mask doesn't work with workflow_dispatch inputs

See original GitHub issue

Describe the bug Github actions workflow with inputs cannot be masked using add-mask.

To Reproduce

  1. Create workflow
name: add-mask-test
on: 
  workflow_dispatch:
    inputs:
      secret:
        description: 'secret value'
        required: true
jobs:
  my-job:
    runs-on: ubuntu-latest
    steps:
      - name: add-mask test
        run: |
          echo "::add-mask::${{ github.event.inputs.secret }}"
  1. Run workflow entering secret value “password” as input
  2. Look at workflow log and see value “password” appears twice without masking

Expected behavior The value in add-mask does not appear at all in the workflow log output

Runner Version and Platform

Current runner version: ‘2.272.0’ Operating System Ubuntu 18.04.4 LTS

What’s not working?

The value in add-mask appears twice without masking

Job Log Output

add-mask test shell: /bin/bash -e {0} Run echo “::add-mask::password” echo “::add-mask::password” shell: /bin/bash -e {0}

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:16
  • Comments:13 (2 by maintainers)

github_iconTop GitHub Comments

27reactions
netzwirtcommented, Oct 14, 2020

my workarround create a shell variable from your input:

        run: |
           MY_SECRET=$(cat $GITHUB_EVENT_PATH | jq '.inputs.secret' | sed 's/"//g' )
           echo "::add-mask::$MY_SECRET"
19reactions
mykhailo-inv-discocommented, Apr 20, 2021

Full example with inputs and outputs. Leaving for reference.

Inputs

Workflow file:

name: Test masking inputs
on:
  workflow_dispatch:
    inputs:
      secret:
        description: "secret value"
        required: true
      token:
        description: "token value"
        required: true
      secret_token:
        description: "secret_token value"
        required: true
jobs:
  test_masking_inputs:
    runs-on: ubuntu-20.04
    steps:
      - name: Test masking inputs
        id: add_mask
        run: |
          INP_SECRET=$(jq -r '.inputs.secret' $GITHUB_EVENT_PATH)
          INP_TOKEN=$(jq -r '.inputs.token' $GITHUB_EVENT_PATH)
          INP_SECRET_TOKEN=$(jq -r '.inputs.secret_token' $GITHUB_EVENT_PATH)
          echo Before mask
          echo $INP_SECRET
          echo $INP_TOKEN
          echo $INP_SECRET_TOKEN
          echo ::add-mask::$INP_SECRET
          echo ::add-mask::$INP_TOKEN
          echo ::add-mask::$INP_SECRET_TOKEN
          echo After mask
          echo $INP_SECRET
          echo $INP_TOKEN
          echo $INP_SECRET_TOKEN
          echo Setting output
          echo ::set-output name=secret::$INP_SECRET
          echo ::set-output name=token::$INP_TOKEN
          echo ::set-output name=secret_token::$INP_SECRET_TOKEN
          echo Setting environment variables
          echo SECRET="$INP_SECRET" >> $GITHUB_ENV
          echo TOKEN="$INP_TOKEN" >> $GITHUB_ENV
          echo SECRET_TOKEN="$INP_SECRET_TOKEN" >> $GITHUB_ENV

      - name: Check output from another step
        run: |
          echo "${{ steps.add_mask.outputs.secret }}"
          echo "${{ steps.add_mask.outputs.token }}"
          echo "${{ steps.add_mask.outputs.secret_token }}"

      - name: Check environment variables 1
        run: |
          echo "${{ env.SECRET }}"
          echo "${{ env.TOKEN }}"
          echo "${{ env.SECRET_TOKEN }}"

      - name: Check environment variables 2
        run: |
          echo $SECRET
          echo $TOKEN
          echo $SECRET_TOKEN

Output

Test masking inputs:

Before mask
(boo3)()
)wo%o()ho$o(
not_really..)(*^%%%%%%%^&*$
After mask
***
***
***
Setting output
Setting environment variables

Check output from another step (WRONG):

***
)wo%o()ho(
***

Check environment variables 1 (WRONG):

***
)wo%o()ho(
***

Check environment variables 2: (CORRECT?)

***
***
***

As I understand last case is the correct usage of masked input (use it as environment variable after placing it into GITHUB_ENV during add_mask step), as opposed to two previous steps where stars appear only because variable contains a SECRET substring in its name.

Read more comments on GitHub >

github_iconTop Results From Across the Web

GitHub Actions: How to mask workflow_dispatch inputs ...
The problem is that it prints TEST_PASSWORD input in the log. Is there a way to encrypt/mask this, similar to ${{secrets.test_password }}?. A ......
Read more >
Working With add-mask and GitHub Actions for ... - Aaron Powell
The `add-mask` thing in the workflow is only running against the local log stream, it doesn't push anything to secrets. Tero • 6...
Read more >
Masking Input Parameters in GitHub Actions
GitHub actions allow you to add input parameters, which will then be used during runtime of the workflow. The inputs can be passed...
Read more >
How to Hide Sensitive Things in GitHub Actions Logs
add -mask is one of these actions. When you call it from a Workflow, with a string, it will hide that string in...
Read more >
Add Inputs to GitHub Actions Workflows - YouTube
In this GitHub Actions Tutorial, we'll walk through how to add user inputs to workflow_dispatch triggers in your GitHub Actions workflow so ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Next Steps for Fully Functioning Composite Actions

Next page

Disable process cleanup