Added warning to documentation.

[tobias-wilfert]

These strings leaking has been a known issue since at least 5 years (See github issue: actions/runner#475) regardless of whether or not this will ever be fixed the least that can be done is give the user a heads up that these 2 use cases will not mask the values. (Removing the 2 sections in their entirety might also be an option 🤔).

Why:

Closes: github issue: actions/runner#475

What's being changed (if available, include any code snippets, screenshots, or gifs):

Merly adding two warnings to two sections giving the user a heads up that these "masks" will still leak the string that should be masked.

Check off the following:

• A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
• The changes in this PR meet the docs fundamentals that are required for all content.
• All CI checks are passing and the changes look good in the review environment.

[welcome]

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[github-actions]

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

• Spin up a codespace
• Set up a local development environment

A Hubber will need to deploy your changes internally to review.

Table of review links

⚠️ Warning: Our review server is experiencing latency issues.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on the review server. Changes to the data directory are not included in this table.

Source	Review	Production	What Changed
actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions.md	fpt ghec ghes@ 3.16 3.15 3.14 3.13 3.12	fpt ghec ghes@ 3.16 3.15 3.14 3.13 3.12

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

[jsoref]

I don't think this is precisely the right fix, but I do agree the example is wrong. I'd be inclined to suggest an example closer to: actions/runner#475 (comment)

(I don't expect to have any time to do anything like this before the end of the month.)

[Sharra-writes]

@tobias-wilfert Thanks for opening a PR! Since this is still a draft, could you ping me when this is ready to make sure I don't overlook it? ✨

[jsoref]

At the very least:

Suggested change

	> This will still leak the string initialy as part of the echo statment.
	> This will still leak the string initially as part of the echo statement.

[jsoref]

I think the gist is correct that you can't actually use an env: block to set an unmasked secret and thus this section should be changed to just say as much:

Important

Values set via an env: block in a workflow will be logged. Trying to mask in the step would be too late.
Masking would have to be done beforehand or by providing a file with the data and then reading the value, masking, and setting the variable locally within the shell context.