[goerz]

Why doesn’t GitHub Actions limit the environment variables it exposes to jobs/steps? The codecov step doesn’t need my GitHub or PyPI tokens! Environment variables should be opt-in for every step in the pipeline: I should have to explicitly list every environment variable I want to expose. This leak is as much on GitHub as it is on Codecov

[mhils]

GitHub actually introduced "Environments" recently, which allow you to do what you are asking for. Lots of existing pipelines haven't migrated yet of course.

https://docs.github.com/en/actions/reference/environments

[goerz]

Nice!

[fishnchips]

GitHub Actions actually requires you to explicitly pass secrets to individual steps. If you're using GitHub Actions, what got leaked was the commit metadata, and the codecov token itself. Unless you manually passed the entire environment to the codecov step, that is.