Skip to content
Latchkey

How to Debug an Empty Secret in GitHub Actions

You cannot print a secret to confirm it, but you can print its length: zero means it is missing or misnamed.

Pass the secret through an env var and echo only ${#VAR} (its character count). A length of 0 means the secret is unset, misnamed, or not available to this event.

Steps

  • Map the secret to an env var in the step.
  • Echo only its length, never its value.
  • A length of 0 means it is missing for this run.

Workflow

.github/workflows/ci.yml
steps:
  - name: Is the secret present?
    env:
      TOKEN: ${{ secrets.DEPLOY_TOKEN }}
    run: |
      echo "DEPLOY_TOKEN length = ${#TOKEN}"
      if [ -z "$TOKEN" ]; then
        echo "::error::DEPLOY_TOKEN is empty or not set"
        exit 1
      fi

Gotchas

  • Never echo "$TOKEN"; even masked, a transform (base64, reversal) can leak it.
  • Secrets are not passed to workflows triggered by a fork pull_request, so length is 0 there by design.
  • Environment secrets only appear when the job declares that environment:.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →