How to Keep GitHub Tokens Out of CI Logs
Secrets and App-token outputs are masked automatically; add-mask covers tokens you compute at runtime.
Values from secrets.* and the App token action are redacted in logs as ***. If you derive a token yourself, emit ::add-mask:: before it can appear. Never print a token to confirm it.
Steps
- Reference tokens via
secrets.*or the action output so masking applies. - For a computed token, echo
::add-mask::<value>before first use. - Pass tokens through env vars or stdin, not visible CLI flags.
Workflow
.github/workflows/ci.yml
steps:
- id: mint
run: |
TOKEN=$(./exchange-for-token.sh)
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
- env:
GH_TOKEN: ${{ steps.mint.outputs.token }}
run: gh api /rate_limitGotchas
- Mask before the value can appear anywhere, or it leaks once.
- Masking only hides logs; it does not restrict what the token can do.
Related guides
How to Rotate GitHub Tokens and App Keys Used by CIRotate the credentials CI depends on, from PATs to GitHub App private keys, on a schedule and after any suspe…
How to Configure Git to Use a Token for HTTPS in CIConfigure git in CI to authenticate HTTPS operations with a GitHub App or scoped token using an http.extrahea…