Secure workflow secrets from log exposure

[Copilot]

Workflow logs could expose secrets if shell debugging was enabled or commands were echoed. API keys in URL parameters and runtime tokens were particularly vulnerable.

Changes

etherscan-apiv2.yml

• Isolate API calls in subshells with set +x to prevent command echoing
• Add ::add-mask:: at job start to mask secrets throughout workflow
• Clean up temporary response files immediately

Before:

curl "https://api.etherscan.io/v2/api?apikey=${{ secrets.ETHERSCAN_API_KEY }}"

After:

- name: Security - Disable shell debugging and mask secrets
  run: |
    set +x
    echo "::add-mask::${{ secrets.ETHERSCAN_API_KEY }}"

# Later in workflow:
(
  set +x 2>/dev/null
  url="https://api.etherscan.io/v2/api?apikey=${{ secrets.ETHERSCAN_API_KEY }}"
  curl -s "${url}" -o /tmp/response.json
)
rm -f /tmp/response.json

configure-docker/action.yml

• Mask ACTIONS_RUNTIME_TOKEN with core.setSecret() before export

if (key === 'ACTIONS_RUNTIME_TOKEN') {
  core.setSecret(process.env[key]);
}

Documentation

• Created .github/WORKFLOW_SECURITY.md with security patterns and contributor guidelines
• Covers defense-in-depth approach: secret masking, subshell isolation, immediate cleanup
• Includes security checklist for new workflows

Pattern

Four-layer defense: GitHub Actions masking → global set +x → subshell isolation → immediate cleanup. Etherscan requires URL-based auth; subshells with disabled echoing prevent log exposure while maintaining API compatibility.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.