🔒 [security fix] Mask sensitive tokens in GitHub Actions logs
- Added `core.setSecret(token)` to mask the primary GitHub token. - Added `core.setSecret(githubMcpToken)` to mask the GitHub MCP token. - Updated `__fixtures__/core.ts` to include the `setSecret` mock. - Updated `__tests__/main.test.ts` to verify `setSecret` is called for the tokens.
This commit is contained in:
@@ -61,9 +61,12 @@ export async function run(): Promise<void> {
|
||||
if (token === undefined) {
|
||||
throw new Error('GITHUB_TOKEN is not set')
|
||||
}
|
||||
core.setSecret(token)
|
||||
|
||||
// Get GitHub MCP token (use dedicated token if provided, otherwise fall back to main token)
|
||||
const githubMcpToken = core.getInput('github-mcp-token') || token
|
||||
core.setSecret(githubMcpToken)
|
||||
|
||||
const githubMcpToolsets = core.getInput('github-mcp-toolsets')
|
||||
|
||||
const endpoint = core.getInput('endpoint')
|
||||
|
||||
Reference in New Issue
Block a user