How to Mask a Custom Value in Logs in GitHub Actions
Repo and environment secrets mask automatically; add-mask lets you hide a value you compute during the run.
Emit the ::add-mask::<value> workflow command for any sensitive value generated at runtime. Every later log line redacts it as ***.
Steps
- Compute the sensitive value in a step.
- Echo
::add-mask::<value>before using it anywhere. - Optionally persist it to
$GITHUB_OUTPUTfor later steps.
Workflow
.github/workflows/ci.yml
steps:
- id: token
run: |
TOKEN=$(./mint-token.sh)
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
- run: ./deploy.sh --token ${{ steps.token.outputs.token }}Gotchas
- Mask the value before it can appear anywhere in logs, or it leaks once.
- Masking only redacts logs; it does not encrypt the value in transit.
Related guides
How to Store a Multiline Secret in GitHub ActionsStore and use a multiline secret like a PEM key or service-account JSON in GitHub Actions by writing the secr…
How to Use Environment-Scoped Secrets in GitHub ActionsBind secrets to a single GitHub Actions environment so a job only sees that target credentials when it declar…