From 9d962e5274fa65d8ef5c4887e7a2fbeeda7b8a59 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 10 Mar 2026 22:44:58 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20[security=20fix]=20Mask=20sensit?=
 =?UTF-8?q?ive=20tokens=20in=20GitHub=20Actions=20logs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Added `core.setSecret(token)` to mask the primary GitHub token.
- Added `core.setSecret(githubMcpToken)` to mask the GitHub MCP token.
- Updated `__fixtures__/core.ts` to include the `setSecret` mock.
- Updated `__tests__/main.test.ts` to verify `setSecret` is called for the tokens.
---
 __fixtures__/core.ts   | 1 +
 __tests__/main.test.ts | 2 ++
 src/main.ts            | 3 +++
 3 files changed, 6 insertions(+)

diff --git a/__fixtures__/core.ts b/__fixtures__/core.ts
index efe7ebe..becbebd 100644
--- a/__fixtures__/core.ts
+++ b/__fixtures__/core.ts
@@ -9,3 +9,4 @@ export const getBooleanInput = vi.fn<typeof core.getBooleanInput>()
 export const setOutput = vi.fn<typeof core.setOutput>()
 export const setFailed = vi.fn<typeof core.setFailed>()
 export const warning = vi.fn<typeof core.warning>()
+export const setSecret = vi.fn<typeof core.setSecret>()
diff --git a/__tests__/main.test.ts b/__tests__/main.test.ts
index 578bf98..387e064 100644
--- a/__tests__/main.test.ts
+++ b/__tests__/main.test.ts
@@ -136,6 +136,7 @@ describe('main.ts', () => {
     await run()
 
     expect(core.setOutput).toHaveBeenCalled()
+    expect(core.setSecret).toHaveBeenCalledWith('fake-token')
     verifyStandardResponse()
     expect(mockProcessExit).toHaveBeenCalledWith(0)
   })
@@ -199,6 +200,7 @@ describe('main.ts', () => {
 
     await run()
 
+    expect(core.setSecret).toHaveBeenCalledWith('fake-token')
     expect(mockConnectToGitHubMCP).toHaveBeenCalledWith('fake-token', '')
     expect(mockMcpInference).toHaveBeenCalledWith(
       expect.objectContaining({
diff --git a/src/main.ts b/src/main.ts
index 18febc1..73c768a 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -61,9 +61,12 @@ export async function run(): Promise<void> {
     if (token === undefined) {
       throw new Error('GITHUB_TOKEN is not set')
     }
+    core.setSecret(token)
 
     // Get GitHub MCP token (use dedicated token if provided, otherwise fall back to main token)
     const githubMcpToken = core.getInput('github-mcp-token') || token
+    core.setSecret(githubMcpToken)
+
     const githubMcpToolsets = core.getInput('github-mcp-toolsets')
 
     const endpoint = core.getInput('endpoint')