How to Debug an Empty Secret in GitHub Actions
You cannot print a secret to confirm it, but you can print its length: zero means it is missing or misnamed.
Pass the secret through an env var and echo only ${#VAR} (its character count). A length of 0 means the secret is unset, misnamed, or not available to this event.
Steps
- Map the secret to an env var in the step.
- Echo only its length, never its value.
- A length of 0 means it is missing for this run.
Workflow
.github/workflows/ci.yml
steps:
- name: Is the secret present?
env:
TOKEN: ${{ secrets.DEPLOY_TOKEN }}
run: |
echo "DEPLOY_TOKEN length = ${#TOKEN}"
if [ -z "$TOKEN" ]; then
echo "::error::DEPLOY_TOKEN is empty or not set"
exit 1
fiGotchas
- Never
echo "$TOKEN"; even masked, a transform (base64, reversal) can leak it. - Secrets are not passed to workflows triggered by a fork pull_request, so length is 0 there by design.
- Environment secrets only appear when the job declares that
environment:.
Related guides
How to Debug a 403 Permissions Error in GitHub ActionsTrace a 403 Resource not accessible by integration error in GitHub Actions by printing the GITHUB_TOKEN scope…
How to Print the Full Context With toJSON in GitHub ActionsDump an entire GitHub Actions context (github, env, job, steps, runner) to the log with toJSON so you can see…