Dynamic Secret Scrubbing

NixCI automatically scrubs configured secrets from job output. In addition, your build scripts can dynamically mask values at runtime using ::add-mask:: commands.

How It Works

To mask a secret value during a job, print a line in this format to stdout or stderr:

::add-mask::YOUR_SECRET_VALUE

From that point on, all occurrences of YOUR_SECRET_VALUE in the job output will be replaced with <REDACTED:DYNAMIC_SECRET> .

You can also provide a name for the masked value:

::add-mask name=MY_TOKEN::the_actual_secret_value

Named masks will be redacted as <REDACTED:MY_TOKEN> . Names must be alphanumeric (with underscores allowed).

The ::add-mask:: command line itself is stripped from the output and will not appear in the logs.

Example

A test script might do:

TOKEN=$(curl -s https://auth.example.com/token)
echo "::add-mask::$TOKEN"
curl -H "Authorization: Bearer $TOKEN" https://api.example.com/data

The log output will show the curl command with the token value replaced:

curl -H "Authorization: Bearer <REDACTED:DYNAMIC_SECRET>" https://api.example.com/data

Limitations

Minimum length: Secret values must be at least 5 characters long. Shorter values are ignored to avoid excessive false-positive redaction.
Single-line commands: The ::add-mask:: command must appear on its own line. It will not be recognized if there is other text before ::add-mask:: on the same line.
Forward-only: Masking only applies to output produced after the ::add-mask:: command. Output that has already been sent to the server is not retroactively scrubbed.
Single-line secrets: The secret value must not contain newline characters. If you need to mask a multi-line value, mask each line separately.
No removal: Once a mask is added, it cannot be removed for the remainder of the job.