Read your own GitHub Actions secret back (when base64 gets masked too)

GitHub deliberately won't show you a secret's value after it's saved — you can only overwrite it. Usually that's fine. But sometimes the value you stored is the only surviving copy of something you need back — a signing password, an API key you didn't save elsewhere — and you have write access to the repo's workflows.

You can recover it. Here's the specific workaround.

Why the obvious tricks fail

GitHub scans log output and replaces any exact match of a registered secret with ***:

- run: echo "${{ secrets.MY_SECRET }}"     # -> ***

The classic bypass was base64. That's covered now too — GitHub registers and masks the base64 form of secrets:

- run: echo "${{ secrets.MY_SECRET }}" | base64   # -> ***

Masking is string replacement on output, so it only catches forms it can predict. Re-encode the bytes into one it doesn't register and it prints fine. A hex dump works:

The workflow

# .github/workflows/recover-secret.yml
name: Recover secret
on: workflow_dispatch
jobs:
  reveal:
    runs-on: ubuntu-latest
    steps:
      - env:
          S: ${{ secrets.MY_SECRET }}
        run: |
          echo "hex   : $(printf %s "$S" | od -An -tx1 | tr -d '\n')"
          echo "rev   : $(printf %s "$S" | rev)"
          echo "spaced: $(printf %s "$S" | sed 's/./& /g')"
          echo "length: $(printf %s "$S" | wc -c)"

Commit it, then Actions → Recover secret → Run workflow. The log shows:

hex   :  70 61 73 73 77 6f 72 64
rev   : drowssap
spaced: p a s s w o r d
length: 8

• hex is the reliable one. Decode locally:

  echo '70 61 73 73 77 6f 72 64' | tr -d ' ' | xxd -r -p; echo   # -> password

• rev reads backwards; spaced is the value with a space between each character.

All three survive masking because none is a literal or base64 match of the secret. length is a sanity check.

After you have it

• Delete the workflow and its run logs — the value is now sitting in plaintext in your Actions history.
• Rotate the secret if you can. Re-setting it (even to the same value) re-registers the mask.

One caveat worth stating

This isn't a GitHub bug, and it's not a way past their security model — GitHub documents masking as best-effort, not a boundary, precisely because a workflow runs your code with the secret in plaintext and can emit it in unlimited encodings. The real control is who can run workflows: anyone with that access can read the secrets it sees. Use this only on a repo you own, to recover a value that's yours.