Possibility to hidde public environment variable from logs

When we define public environment variable value of this variable is printed at the beginning of log, and everybody can easy get this value and I don’t have any posibility to know who read it.

It will be useful if we have posibility to hide public variable from log.

I know that public varible can be discovered if somebody create pull request with specific change. But from other side I know if somebody create pull request and I can figure out if new code do something strenge.

I can take on that hidden variable can be compromised, but some situation it will be better for me to have posibility to define hidden varible which I can use for pull request.

For example I will use sonar to decorate issues in new code.
As we know sonar require tokens to work.
I can create special account in sonar service which have only required grant to do analize. So if somebody steal token for this account it will not so danger.

If you don’t want them to show up in either of Setting environment variables from … bits, you can define and export them in your script.

For example, assuming you have the file envs.sh at the repository root with this content:

export HIDDEN1=hidden

All you have to do is:

  - source envs.sh

There is no way for you to know who read the public environment variables, though. Since those will be visible on GitHub.

I know that I can set environment variable in code in many ways, but in this case value will be easily visible to everyone without any control.

So therefore I would like to have possibility to set value in build settings.

Of Course it will be also possible to read but this task will be a little more complicated and I will have some history of this tries.