How to mask github action tokens safely

I am following the steps at Git-Clone · Codefresh | Docs in order to obtain a GitHub access token from the codefresh git integration. When the freestyle stage runs a command such as:

 - git clone https://my-github-username:$GITHUB_TOKEN@github.com/my-github-username/my-repo.git

Then the codefresh build log will include the actual value of the GITHUB_TOKEN, rather than a masked version.

(in my case I’m actually updating the origin of the repository cloned by main_clone so that it includes the GITHUB_TOKEN and I am able to push back commits after bumping version numbers - but it is similar in sentiment)

The only solution I have is to inline the command which fetches the token as such:

 - git clone https://my-github-username:$(codefresh get context github --decrypt -o yaml | yq -r .spec.data.auth.password)@github.com/my-github-username/my-repo.git

but that is quite messy, and I’d rather extract the value to a variable.

Has anybody else done this in such a way that the github token is not leaked to the build?

Hello

Could you please post the full YAML of your step? I cannot reproduce this.
Here is what I get in similar build

no-token1207×311 10.6 KB

Here is my yaml

title: Uploading report
stage: report
image: alpine/git
working_directory: '${{my_clone}}'
commands:
  - git config --global user.email "kostis@codefresh.io"
  - git config --global user.name "Kostis Kapelonis"
  - cd /tmp
  - >-
    git clone --depth 1
    https://kostis-codefresh:$GITHUB_TOKEN@github.com/kostis-codefresh/codefresh-plugin-checker.git
    -b gh-pages

The full pipeline is here codefresh-plugin-checker/codefresh.yml at master · kostis-codefresh/codefresh-plugin-checker · GitHub