GitHub Actions: How to mask workflow_dispatch inputs, like secrets?

Question

on:
  workflow_dispatch:
    inputs:
      test_password:
        description: 'test_password'
        required: true

env:
  TEST_PASSWORD: ${{ github.event.inputs.test_password }}

The problem is that it prints TEST_PASSWORD input in the log. Is there a way to encrypt/mask this, similar to ${{secrets.test_password }}?

A workaround https://github.community/t/workflow-dispatch-is-it-possible-to-pass-a-secret-as-parameter/121819/6 no longer seems to works.

Answer 1

This doesn't seem to be currently supported by Github but you can retrieve the input and store it in a variable and then mask it, something like this:

on:
  workflow_dispatch:
    inputs:
      secret_value:
        type: string
        required: true
        description: Secret Value

jobs:
  secrets:
    runs-on: ubuntu-latest
    steps:
      - name: Masking inputs
        run: |
          SECRET_VALUE=$(cat $GITHUB_EVENT_PATH | jq -r '.inputs.secret_value' )
          echo "::add-mask::$SECRET_VALUE"