Skip to content
Latchkey

GitHub Actions secret printed via env shows as *** in run-name and logs

When a secret value is assigned to an env var and that value appears in output, GitHub masks it as ***. If the secret value is short or coincides with normal text, unrelated output can also be masked, making logs confusing.

What this error means

Expected output is replaced by *** wherever the secret value (or a substring equal to it) appears.

github-actions
env:
  TOKEN: ${{ secrets.SHORT_TOKEN }}   # value happens to be 'prod'
steps:
  - run: echo "deploying to prod"   # prints: deploying to ***

Common causes

Short or common secret values

A secret equal to a common word masks every occurrence of that word in logs.

Secret value echoed intentionally or accidentally

Any path that prints the secret value triggers masking on that substring.

How to fix it

Avoid short, word-like secret values

  1. Use long, high-entropy secret values so they do not collide with normal log text.
  2. Rotate secrets that are short common words.

Do not echo secrets

  1. Remove debug echoes that print secret-derived env vars.
  2. Pass secrets directly to tools via their input rather than printing them.
.github/workflows/ci.yml
- run: deploy --token "$TOKEN"
  env:
    TOKEN: ${{ secrets.DEPLOY_TOKEN }}

How to prevent it

  • Keep secret values long and random to avoid accidental masking collisions.
  • Never echo env vars that hold secrets.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →