Secrets derived from other secrets are not known to the workflow runner and therefore not masked unless explicitly registered.
Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner.
- env:
username: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientId }}
password: ${{ fromJson(secrets.AZURE_CREDENTIALS).clientSecret }}
run: |
echo "$username"
echo "$password"- env:
username: ${{ secrets.AZURE_CREDENTIALS_CLIENT_ID }}
password: ${{ secrets.AZURE_CREDENTIALS_CLIENT_SECRET }}
run: |
echo "$username"
echo "$password"