10 GitHub Actions Mistakes That Will Burn You (And How to Avoid Them)

10 GitHub Actions Mistakes That Will Burn You (And How to Avoid Them) I've spent the last year auditing and fixing GitHub Actions across 17+ repositories. Some mistakes are embarrassing. Some are dangerous. Most are avoidable. Here are the ten I see over and over—and exactly how to fix them. 1. Logging Secrets (The Classic) You're debugging a failed workflow. The obvious thing to do is echo your environment variables. So you do: - name : Debug run : echo "Token is : ${{ secrets.GITHUB_TOKEN }}" The logs are public. Everyone sees it. Congratulations, your secret is now on the internet. The fix: Never echo secrets in plain text Use ::add-mask:: to mask values: - name : Debug run : | echo "::add-mask::$(echo 'sensitive-value')" echo "Processing: $(echo 'sensitive-value')" Workflow Guardian catches this by analyzing your workflow YAML for secret exposure patterns. Set it up once, sleep better. 2. Using Always-Green Credentials (No Secret Rotation) You created a Personal Access Token (PAT)