load-secrets-action icon indicating copy to clipboard operation
load-secrets-action copied to clipboard
verified publisher icon 1Password

export-env security risk

Open datbth opened this issue 1 year ago • 0 comments

Currently, export-env has a default value of true and is also suggested to be set as true in README.

While it is convenient to do so, it makes the secrets available as ENVs to all the later steps, including the third-party GitHub Actions. This can easily lead to leaking secrets when using malicious or vulnerable GitHub actions.
Thus, I think it should at least be mentioned in README.

Additionally, the usage of the step outputs of load-secrets-action should also be documented.

datbth avatar Oct 02 '24 18:10 datbth