Secrets Scrubbing
If a task references a secret, Mint will attempt to remove its value from any logs or artifacts produced by the run.
Specifically, Mint will do the following:
-
If a sequence of bytes in the logs matches a secret value, the sequence will be replaced with asterisks (
*******). Note that the length of these asterisks is static. A shorter or longer secret value will not change the content of your logs. -
Secrets in artifacts (such as task outputs) are replaced with a reference to them. For example, if Mint finds the value of a secret called "example", it is being rewritten as
${{ secrets.example }}. Tasks that later use these artifacts will resolve the secret reference again.
Limitations
Please note that Mint will only match secret values against their plain-text representation. If the secret value is encoded in a different format, Mint will not be able to remove it.
A side effect of this is that it's possible to leak the existence of very
generic secrets. For example, if you define a secret for the value echo, Mint
filters any mentions of echo in its logs or artifacts.