Skip to content
Latchkey

How to Mask a Custom Value in Logs in GitHub Actions

Repo and environment secrets mask automatically; add-mask lets you hide a value you compute during the run.

Emit the ::add-mask::<value> workflow command for any sensitive value generated at runtime. Every later log line redacts it as ***.

Steps

  • Compute the sensitive value in a step.
  • Echo ::add-mask::<value> before using it anywhere.
  • Optionally persist it to $GITHUB_OUTPUT for later steps.

Workflow

.github/workflows/ci.yml
steps:
  - id: token
    run: |
      TOKEN=$(./mint-token.sh)
      echo "::add-mask::$TOKEN"
      echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
  - run: ./deploy.sh --token ${{ steps.token.outputs.token }}

Gotchas

  • Mask the value before it can appear anywhere in logs, or it leaks once.
  • Masking only redacts logs; it does not encrypt the value in transit.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →