GitHub Actions secret printed via env shows as *** in run-name and logs
When a secret value is assigned to an env var and that value appears in output, GitHub masks it as ***. If the secret value is short or coincides with normal text, unrelated output can also be masked, making logs confusing.
What this error means
Expected output is replaced by *** wherever the secret value (or a substring equal to it) appears.
github-actions
env:
TOKEN: ${{ secrets.SHORT_TOKEN }} # value happens to be 'prod'
steps:
- run: echo "deploying to prod" # prints: deploying to ***Common causes
Short or common secret values
A secret equal to a common word masks every occurrence of that word in logs.
Secret value echoed intentionally or accidentally
Any path that prints the secret value triggers masking on that substring.
How to fix it
Avoid short, word-like secret values
- Use long, high-entropy secret values so they do not collide with normal log text.
- Rotate secrets that are short common words.
Do not echo secrets
- Remove debug echoes that print secret-derived env vars.
- Pass secrets directly to tools via their input rather than printing them.
.github/workflows/ci.yml
- run: deploy --token "$TOKEN"
env:
TOKEN: ${{ secrets.DEPLOY_TOKEN }}How to prevent it
- Keep secret values long and random to avoid accidental masking collisions.
- Never echo env vars that hold secrets.
Related guides
GitHub Actions secret referenced in a matrix name shows as a masked valueFix matrix leg names rendering as *** because an env var built from a secret was used to construct the matrix…
GitHub Actions Secret Empty or "Context access might be invalid"Fix a GitHub Actions secret that resolves to empty - wrong name, repo vs environment vs org scope, or a secre…
GitHub Actions "Unable to process file command env" (multiline secret to GITHUB_ENV)Fix GitHub Actions "Unable to process file command 'env'" - a multiline value (often a secret) was written to…