Make sure no information fetched from secrets manager is logged

Use GitHub's log masking to ensure even tokens that do not match
GitHub's default filter are replaced by asterisks.

.github/workflows/release-brew.yaml

@@ -66,8 +66,12 @@ jobs:
 
       - name: Fetch secrets
         run: |
-          echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
-          echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          bot_email=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')
+          echo "::add-mask::$bot_email"
+          echo "BOT_EMAIL=$bot_email" >> $GITHUB_ENV
+          homebrew_github_api_token=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')
+          echo "::add-mask::$homebrew_github_api_token"
+          echo "HOMEBREW_GITHUB_API_TOKEN=$homebrew_github_api_token" >> $GITHUB_ENV
 
       - name: Configure git user name and email
         run: |
@@ -102,8 +106,12 @@ jobs:
 
       - name: Fetch secrets
         run: |
-          echo "FORK_REPO=https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" >> $GITHUB_ENV
-          echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          fork_repo="https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git"
+          echo "::add-mask::$fork_repo"
+          echo "FORK_REPO=$fork_repo" >> $GITHUB_ENV
+          github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
+          echo "::add-mask::$github_token"
+          echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
 
       - name: Checkout PR
         run: |
@@ -167,8 +175,12 @@ jobs:
 
     - name: Fetch secrets
       run: |
-        echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
-        echo "FORK_REPO=https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git" >> $GITHUB_ENV
+        bot_email="$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')"
+        echo "::add-mask::$bot_email"
+        echo "BOT_EMAIL=$bot_email" >> $GITHUB_ENV
+        fork_repo="https://$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')@github.com/${{ env.BOT_USER }}/homebrew-$(echo ${{ env.TAP }} |cut -d / -f 2).git"
+        echo "::add-mask::$fork_repo"
+        echo "FORK_REPO=$fork_repo" >> $GITHUB_ENV
 
     - name: Configure git user name and email
       run: |

.github/workflows/release-pypi.yaml

@@ -27,8 +27,12 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
       - name: Fetch secrets
         run: |
-          echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
-          echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
+          echo "::add-mask::$github_token"
+          echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
+          twine_password="$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')"
+          echo "::add-mask::$twine_password"
+          echo "TWINE_PASSWORD=$twine_password" >> $GITHUB_ENV
       - name: set asset path and name
         id: get_package_name
         run: |

.github/workflows/release.yaml

@@ -38,7 +38,9 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
       - name: Fetch secrets
         run: |
-          echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          github_token="$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')"
+          echo "::add-mask::$github_token"
+          echo "GITHUB_TOKEN=$github_token" >> $GITHUB_ENV
       - name: Create release
         uses: actions/create-release@v1
         with: