You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, export-env has a default value of true and is also suggested to be set as true in README.
While it is convenient to do so, it makes the secrets available as ENVs to all the later steps, including the third-party GitHub Actions. This can easily lead to leaking secrets when using malicious or vulnerable GitHub actions.
Thus, I think it should at least be mentioned in README.
Additionally, the usage of the step outputs of load-secrets-action should also be documented.
The text was updated successfully, but these errors were encountered:
datbth
changed the title
export-envs security risk
export-env security risk
Oct 2, 2024
Currently,
export-envhas a default value oftrueand is also suggested to be set astruein README.While it is convenient to do so, it makes the secrets available as ENVs to all the later steps, including the third-party GitHub Actions. This can easily lead to leaking secrets when using malicious or vulnerable GitHub actions.
Thus, I think it should at least be mentioned in README.
Additionally, the usage of the step outputs of
load-secrets-actionshould also be documented.The text was updated successfully, but these errors were encountered: