[whymarrh]

At their scale I do believe there’s a benefit to authenticating to see logs: a lot of people scrape GitHub for secrets. CI logs are at high risk for user error, errors where a user unintentionally marks something as non-secret when it should’ve been secret. Putting these logs behind auth feels like an easy filter for some scraping.

[holman]

Yeah, definitely. When I was at GitHub we were seeing secrets getting lifted from public pushes and tried within 7 seconds or so, if I recall correctly, and this was five years ago. This was a big reason why there’s a real scanning API now for service providers to be informed if a secret leaks.

By the time a human discovers their mistake it’s usually far too late.

[est31]

That's a good point I guess. Per default, secrets are redacted by github in the logs, but some might slip through, e.g. if only a part of them is printed. Doesn't make me really happy though, I don't want to have to use an account :).