Secrets values revealed using actions_comment

[fulder]

GitHub secrets are automatically masked in the action logs, but setting action_comment to true for e.g. cdk synth prints the real secret values directly inside the PR comment.

This can be a security issue if someone uses a secret used in e.g. a lambda function env vars without realizing this will be automatically printed in a PR comment.

[cynicaljoy]

Not recommending this shouldn't be fixed (if it can) but just a word of caution: if you're putting secrets into environment variables in plain text then anybody with access to the Lambda is going to be able to read them.

It's recommended that you use either Secrets Manager or Parameter Store to keep the values truly secure.

https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/