🔒 [security fix] Mask sensitive tokens in GitHub Actions logs

- Added `core.setSecret(token)` to mask the primary GitHub token.
- Added `core.setSecret(githubMcpToken)` to mask the GitHub MCP token.
- Updated `__fixtures__/core.ts` to include the `setSecret` mock.
- Updated `__tests__/main.test.ts` to verify `setSecret` is called for the tokens.
This commit is contained in:
google-labs-jules[bot]
2026-03-10 22:44:58 +00:00
parent b7792492cd
commit 9d962e5274
3 changed files with 6 additions and 0 deletions

View File

@@ -61,9 +61,12 @@ export async function run(): Promise<void> {
if (token === undefined) {
throw new Error('GITHUB_TOKEN is not set')
}
core.setSecret(token)
// Get GitHub MCP token (use dedicated token if provided, otherwise fall back to main token)
const githubMcpToken = core.getInput('github-mcp-token') || token
core.setSecret(githubMcpToken)
const githubMcpToolsets = core.getInput('github-mcp-toolsets')
const endpoint = core.getInput('endpoint')