[BUG]: sensitive output (actions/runners/registration-token) can't be masked

[dennisameling]

What happened?

Consider the following Actions config:

   - name: Generate Actions Runner token
      uses: octokit/[email protected]
      id: generate-actions-runner-token
      with:
        route: POST /repos/{owner}/{repo}/actions/runners/registration-token
        owner: ${{ env.ACTIONS_RUNNER_ORG }}
        repo: ${{ env.ACTIONS_RUNNER_REPO }}
      env:
        GITHUB_TOKEN: ${{ secrets.GH_API_PAT }}

   - name: Set and mask Actions Runner token for next steps
     run: |
        # We need to mask the token first before setting it to an env variable
        echo "::add-mask::${{ fromJson(steps.generate-actions-runner-token.outputs.data).token }}"
        ACTIONS_RUNNER_TOKEN=${{ fromJson(steps.generate-actions-runner-token.outputs.data).token }}
        echo ACTIONS_RUNNER_TOKEN=$ACTIONS_RUNNER_TOKEN >> $GITHUB_ENV    

This actually exposes the token to the CI logs, as also reported in this issue: actions/runner#475

You might want to add a warning about this to the README of this action or find another solution to hide this sensitive data. Thanks!

Versions

octokit/[email protected]

Relevant log output

See above

Code of Conduct

• I agree to follow this project's Code of Conduct

[kfcampbell]

@dennisameling thanks for your concern here! This does appear to be a bug with actions/runner upstream as you've linked; I can't find anywhere in this repository we have logic related to masking specifically.

I do think that a README update might be useful here. Is that something you have interest in creating?

[dennisameling]

Sorry for the late reply here!

I do think that a README update might be useful here. Is that something you have interest in creating?

Sure, please give me a few days to work through some other things first. Will link the PR to this issue when done 👍🏼

[kfcampbell]

Perhaps an enterprising Hacktoberfest contributor may want to take this on!