How to Mask a Secret in GitHub Actions
Repo secrets are masked automatically; add-mask lets you hide values you compute at runtime.
Emit the ::add-mask::<value> workflow command for any sensitive value generated during the run. Subsequent log lines redact it as ***.
Steps
- Compute the sensitive value in a step.
- Echo
::add-mask::<value>before using it. - Optionally persist it to
$GITHUB_OUTPUTfor later steps.
Workflow
.github/workflows/ci.yml
steps:
- id: token
run: |
TOKEN=$(./mint-token.sh)
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
- run: ./deploy.sh --token ${{ steps.token.outputs.token }}Gotchas
- Mask the value before it can appear anywhere in logs, or it leaks once.
- Masking only redacts logs; it does not encrypt the value in transit.
Related guides
How to Use Environment Secrets in GitHub ActionsScope secrets per deployment target in GitHub Actions with environment secrets, so a job that names an enviro…
How to Share Environment Variables Across Steps in GitHub ActionsShare a value computed in one step with later steps in GitHub Actions by appending name=value to the GITHUB_E…