DEV Community

Cover image for Keep It Secret, Keep It Safe: How To Use GitHub Actions Secrets To Hide Sensitive Data
Kinsta
Kinsta

Posted on • Originally published at kinsta.com

Keep It Secret, Keep It Safe: How To Use GitHub Actions Secrets To Hide Sensitive Data

GitHub Actions is GitHub’s built-in continuous integration and continuous delivery (CI/CD) platform that enables development teams to automate their workflow, including the build, test, and deployment pipeline.

One disadvantage of using GitHub Actions is that your logs are public, and anyone can access them with the necessary permissions.

To prevent sensitive data from being exposed in GitHub Actions logs, you should use encrypted environment variables to store sensitive data safely. These encrypted environmental variables are known as GitHub Actions Secrets.

This post will show you how to use GitHub Actions Secrets to prevent sensitive information from appearing in your GitHub Actions logs.

Prerequisites:

To follow this tutorial:

How To Keep Your GitHub Action Logs Secure

When you build workflows using GitHub Actions, any visitor to your repository can view the logs, so they shouldn’t include sensitive information. However, you can’t just delete your tokens, passwords, and other sensitive information — you need them for testing and for your app to function correctly.

The solution is to hide them with the ::add-mask:: workflow command, which puts an asterisk (*) in place of the sensitive data it’s applied to.

The following section shows you how to mask a log.

How To Mask Logs

First, open the cloned repository in your text editor.

Create the .github/workflows/ directory in the root of your repository to store your workflow files. Then, create a new file named hide-secrets.yml in the .github/workflows directory and add the following code to it:

name: Hide Sensitive Information
on: push
jobs:
  print-secret-token:
    runs-on: ubuntu-latest
    steps:
      - name: echo a secret
        run: echo "your secret token is verySecretToken"
Enter fullscreen mode Exit fullscreen mode

Commit the changes and push them to your GitHub repository. The updated GitHub Actions workflow is active and will be triggered whenever you push a new change.

Open your repository on GitHub and select the Actions tab to view the logs. Your workflow should appear as follows:

Preview your workflow in GitHub

Examining the workflow logs, you’ll find the verySecretToken string printed on the logs. Click on your workflow, and then the task name (print-secret-token) to view the log. It should look like this:

Examine your GitHub action logs

To hide it, use the ::add-mask:: command, edit the hide-secrets.yml file, and add a new step to the print-secret-token job:

name: Hide Sensitive Information
on: push
jobs:
  print-secret-token:
    runs-on: ubuntu-latest
    steps:
      - name: Add Mask
        run: echo "::add-mask::verySecretToken"
      - name: echo a secret  
        run: echo "your secret token is verySecretToken"
Enter fullscreen mode Exit fullscreen mode

You should add the Add Mask step at the top, since masking only applies after ::add-mask:: has run. If you put the secret verySecretToken before the Add Mask step, it will still appear unmasked. So, to ensure the value is masked, it’s essential to use ::add-mask:: as soon as possible.

Once you commit and publish your modifications to your GitHub repository, the string verySecretToken will be replaced by asterisks (*) wherever it appears in your logs:

Make plain texts

While this fixes the masking problem, it introduces a new one. Your verySecretToken is still in the workflow file, so anyone with access to the source code can see it.

Another downside of masking plain text is that masking just part of a word will hide all instances of it. For example, take the following sentence: “Programming is great, but my most productive days are those when I do not write a program.” If you mask the word “program,” it won’t only mask the word at the end of the sentence but also anywhere else it appears, such as in “programming.”

If you try to mask plain text, you’ll end up with something like this:

Problem with masking plain texts

A better approach to hiding sensitive data in GitHub Actions logs is to use GitHub Actions Secrets, as demonstrated in the following section.

How To Use GitHub Actions Secrets?

You can use GitHub Actions Secrets to store any private data you want to use in your GitHub actions workflow. Secrets are created as key/value pairs at the repository or organizational level.

While that repository may only access secrets created at the repository level, secrets created at the organization level are shared by all repositories within an organization.

Secrets created at the repository level are available for use in actions by anyone who has collaborator role permissions. You can change the value of your secrets at any time. However, secrets cannot be used with workflows from a forked repository.

The following guidelines apply for naming secrets:

  • Secret names can’t contain spaces.

  • Secret names are not case-sensitive.

  • Secret names cannot begin with a number.

  • Secret names must not begin with the prefix GITHUB_.

  • Secret names must be unique — secrets with the same name can’t exist at the same level.

You can use these secrets within the GitHub actions workflow by simply adding secrets before your secret name as a YML variable, as shown below:

${{ secrets.MY_SECRET_TOKEN }}
Enter fullscreen mode Exit fullscreen mode

You can also mask secrets for more security, as shown in the following section.

How To Mask Secrets

First, create a GitHub secret. In your repository on GitHub, click the Settings tab, select Secrets > Actions from the left sidebar, and then click New repository secret to add a new secret:

Create a new repository secret

Give your secret a name and a secret value, then click Add secret:

Add a new GitHub Secret

Now that you’ve created your secret and given it the verySecretToken value, you can use it in your workflow file. Open your hide-secrets.yml file and make the following changes:

name: Hide Sensitive Information
on: push
jobs:
  print-secret-token:
    runs-on: ubuntu-latest
    steps:
      - name: Add Mask
        run: echo "::add-mask::${{ secrets.MY_SECRET_TOKEN }}"
      - name: Echo a secret  
        run: echo "your secret token is ${{ secrets.MY_SECRET_TOKEN }}"
Enter fullscreen mode Exit fullscreen mode

The only difference between this and the previous code is that you replaced the secret token with your newly created GitHub secret “${{ secrets.MY_SECRET_TOKEN }}.”

Once you commit the code and push the changes to your GitHub repository, your secrets are masked:

Masked GitHub Actions Secrets

Summary

You mustn’t reveal any sensitive information in your GitHub Action logs. Plain text masking is one way to hide data, but anyone accessing your workflow files can see the information you’re trying to hide.

As this tutorial demonstrates, GitHub Actions Secret is a much more secure approach to safeguard your sensitive data, and then mask it.

Read our documentation to learn more about using Git at Kinsta. Try our Application Hosting for free now.

Top comments (0)