Skip to content
Latchkey

How to Keep GitHub Tokens Out of CI Logs

Secrets and App-token outputs are masked automatically; add-mask covers tokens you compute at runtime.

Values from secrets.* and the App token action are redacted in logs as ***. If you derive a token yourself, emit ::add-mask:: before it can appear. Never print a token to confirm it.

Steps

  • Reference tokens via secrets.* or the action output so masking applies.
  • For a computed token, echo ::add-mask::<value> before first use.
  • Pass tokens through env vars or stdin, not visible CLI flags.

Workflow

.github/workflows/ci.yml
steps:
  - id: mint
    run: |
      TOKEN=$(./exchange-for-token.sh)
      echo "::add-mask::$TOKEN"
      echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
  - env:
      GH_TOKEN: ${{ steps.mint.outputs.token }}
    run: gh api /rate_limit

Gotchas

  • Mask before the value can appear anywhere, or it leaks once.
  • Masking only hides logs; it does not restrict what the token can do.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →