Why are GitHub Actions secrets exposed in matrix job names even when masked in logs?

[augustbreay]

🏷️ Discussion Type

Question

Body

I'm using GitHub Actions with matrix builds to test across multiple Node.js versions. I set up a DEPLOY_TOKEN secret and reference it in my workflow. The problem is that even though GitHub masks the secret in the logs, the secret value appears in the job name itself (e.g., test (node: 18, token: abc123xyz)). This means anyone with read access to the workflow runs can see the sensitive token in the job listing, not just in logs.

I've tried:

• Using secrets.DEPLOY_TOKEN in the matrix variables
• Enabling branch protection rules
• Restricting repo access

Nothing prevents the secret from appearing in the job name. Is this a GitHub limitation or am I missing something?

Guidelines

• I have read and understood this category's guidelines before making this post.

[augustdev290]

This is a known GitHub Actions security behavior: secrets should never be used directly in matrix strategy variables because the matrix values are interpolated into job metadata (names, etc.) before secret masking is applied. Secret masking only works on the actual job logs, not on the job's metadata properties.

Solution:

1. Move secrets out of matrix: Don't use secrets in matrix.include or strategy definitions

strategy:
  matrix:
    node-version: [16, 18, 20]  # ✓ Safe
    # environment: [dev, prod]  # ✗ Don't put secrets here

steps:
  - name: Use secret safely in step
    env:
      DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}
    run: |
      # Secret is only in environment, masked in logs
      echo "Deploying with token"

2. Use environment variables in individual steps where masking applies
3. For per-environment secrets, use GitHub Environments feature instead:

jobs:
  deploy:
    environment: ${{ matrix.env }}
    steps:
      - name: Deploy
        env:
          DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}

4. Audit access: Even with masking, restrict Actions read permissions with actions: read

This is a security-by-design choice: if you need different secrets per matrix variation, use separate jobs or Environments instead of matrix variables.

---

[mecodeatlas]

Welcome to the GitHub Community, @augustbreay, we're happy you're here! You are more likely to get a useful response if you are posting your question in the applicable category and are explicit about what your project entails--giving a few more details might help someone give you a nudge in the right direction. I've gone ahead and moved it for you. Good luck!

[PRATHAM777P]

Hi @augustbreay 👋,

This is a GitHub Actions limitation secrets are only masked in logs, not in job names. To keep them safe, avoid putting secrets in the matrix; use a placeholder in the job name and reference the actual secret inside your steps instead.