mask the value in GitHub action run
10:13 15 Mar 2026

As part of our platform CI/CD standardization, we are implementing a controlled approach to ensure that sensitive parameters provided by application teams are not exposed in pipeline logs when workflows run in GitHub Actions.

The objective is to maintain a centralized pipeline where application teams only provide the required parameters for their application execution, while the DevOps platform pipeline controls how those parameters are handled, including masking any confidential values.

In this model, application teams will simply pass parameters when invoking the shared pipeline. They do not need to configure secrets, masking rules, or any additional security configuration in their repositories. All sensitive handling will be managed within the centralized pipeline.

Below is a simplified example of how the application team consumes the shared pipeline:

Application Repository Workflow

name: Application Pipeline

on:

workflow_dispatch:

inputs:

  app_name:

    required: true

  W:

    required: true

jobs:

run:

uses: org/platform-pipeline/.github/workflows/standard.yml@v1

with:

  app_name: ${{ github.event.inputs.app_name }}

  W: ${{ github.event.inputs.W }}

In this case, the application team simply passes the parameter "W". They are not responsible for masking it.

The centralized pipeline will enforce masking automatically before any execution steps occur.

Centralized Platform Pipeline

name: Standard Pipeline

on:

workflow_call:

inputs:

  app_name:

    required: true

    type: string

  W:

    required: false

    type: string

jobs:

pipeline:

runs-on: ubuntu-latest

steps:

  - name: Mask sensitive parameters

    run: |

      if \[ ! -z "${{ inputs.W }}" \]; then

        echo "::add-mask::${{ inputs.W }}"

      fi

  - name: Execute pipeline

    run: |

      echo "Application: ${{ inputs.app_name }}"

      echo "Parameter W value: ${{ inputs.W }}"

Proof of Masking in Logs

If the parameter "W" contains a sensitive value such as:

W=my-secret-password

The GitHub Actions log output will appear as:

Application: payment-service

Parameter W value: ***

This demonstrates that the parameter value is successfully masked even if it appears in the logs.

Implementation Summary

1. Application teams only pass required parameters when invoking the shared pipeline.

2. The platform pipeline identifies sensitive parameters.

3. A masking step is executed at the start of the workflow.

4. Any occurrence of the sensitive value in logs is automatically replaced with "***".

5. Application teams do not need to manage secret handling.

This approach allows us to maintain a secure and standardized CI/CD pipeline while preventing accidental exposure of confidential values in pipeline logs.

hashicorp-vault