How to mask environment variables in Github actions

12 Nov 2022

Why

Github actions don’t support the creation of encrypted variables at runtime.
The proposed solution to achieve that is to use “::add-mask::”.

How to

Mask a simple variable

MY_SECRET="something secret"
echo "::add-mask::${MY_SECRET}"
echo "MY_SECRET=$MY_SECRET" >> $GITHUB_ENV

Mask a multiline variable

MY_SECRET="something secret"
echo "$MY_SECRET" > /tmp/secret.txt

echo "MY_SECRET<<EOF" >> $GITHUB_ENV
echo "`cat /tmp/secret.txt`" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV

# masking the variable
for line in $(cat /tmp/secret.txt); do echo "::add-mask::${line}"; done

rm /tmp/secret.txt || true

you can then retrieve this “MY_SECRET” variable anywhere in your builds with "$ " (it will be encrypted)

Recent Posts

Tags

Actions, Github, Kali, Python, Windows, address, alias, build, env, ip, jekyll, mask, pip, rebuild, toolbar, variables, venv, virtualenv, vpn, vpnip, whoami, x86