How to mask github action tokens safely

I am following the steps at Git-Clone · Codefresh | Docs in order to obtain a GitHub access token from the codefresh git integration. When the freestyle stage runs a command such as:

 - git clone https://my-github-username:$

Then the codefresh build log will include the actual value of the GITHUB_TOKEN, rather than a masked version.

(in my case I’m actually updating the origin of the repository cloned by main_clone so that it includes the GITHUB_TOKEN and I am able to push back commits after bumping version numbers - but it is similar in sentiment)

The only solution I have is to inline the command which fetches the token as such:

 - git clone https://my-github-username:$(codefresh get context github --decrypt -o yaml | yq -r

but that is quite messy, and I’d rather extract the value to a variable.

Has anybody else done this in such a way that the github token is not leaked to the build?


Could you please post the full YAML of your step? I cannot reproduce this.
Here is what I get in similar build

Here is my yaml

title: Uploading report
stage: report
image: alpine/git
working_directory: '${{my_clone}}'
  - git config --global ""
  - git config --global "Kostis Kapelonis"
  - cd /tmp
  - >-
    git clone --depth 1
    -b gh-pages

The full pipeline is here codefresh-plugin-checker/codefresh.yml at master · kostis-codefresh/codefresh-plugin-checker · GitHub