How to mask secret data using GitHub Workflow Commands

How to mask secret data using GitHub Workflow Commands


Here in this article we will try to generate an OTP code using python script and try to mask the generated code using the GitHub Worlflow commands.

Test Environment

Ubuntu 22.04

If you are interested in watching the video. Here is the YouTube video on the same step by step procedure outlined below.


Step1: Clone Repository

As a first we are cloning a sample GitHub repository from my GitHub Account. You can fork this repository or create your own repository and use it for this activity.

[admin@fedser github_space]$ git clone

Step2: Create Python Script

Here is a very basic python script which uses the secrets module to generate a 6 digit string otp code.

[admin@fedser learngit]$ cat 
import secrets
import string

OTP = ''
digit = string.digits

def generateOTP():

    global OTP

    for i in range(6):
        OTP +=str(''.join(secrets.choice(digit)))
    return OTP

if __name__ == '__main__':
    token = generateOTP()

Step3: Create Workflow

Here in this step we are creating a very basic workflow in which we are first checking out the repository and then we are generating the OTP code using the python script. This otp code is further being masked using the github workflow commands “::add-mask::”. Once the generated code is masked we are using GITHUB_OUTPUT to make the secret available to other steps within the job. As a final we are trying to pring the OTP code from the GitHUB_OUTPUT data.

[admin@fedser learngit]$ cat .github/workflows/secretsdata.yml 
name: Generate OTP and Mask Data
run-name: ${{ }} is Generating OTP and Masking Data 🚀
on: [push]
    runs-on: ubuntu-latest
      - name: Check out repository code
        uses: actions/checkout@v3
      - name: Install Python
        uses: actions/setup-python@v4
          python-version: '3.11'
      - name: Generate and Mask OTP Code
        id: genotp
        run: |
          otpcode=`python -c "import otpgenerator; x = otpgenerator.generateOTP(); print(x)"`
          echo "otp code before masking : $otpcode"
          echo "::add-mask::$otpcode"
          echo "otpcode=$otpcode" >> "$GITHUB_OUTPUT"
      - name: Print OTP code after Masking
        run: |
          echo "Masked OTP Code is : ${{ steps.genotp.outputs.otpcode }}"

Step4: Push Changes

Once our workflow is ready we can push the changes to our GitHub repository as shown below.

[admin@fedser learngit]$ git add .

[admin@fedser learngit]$ git commit -m "create and push a workflow"

[admin@fedser learngit]$ git push -u origin main

Step5: Validate Workflow

Once the changes are pushed our workflow gets triggered and it tries to generate and mask a OTP code. This OTP code when we try to print using the GitHub_OUPUT you can see that the value is masked.


Hope you enjoyed reading this article. Thank you..