Environment variables vs outputs

[Danny-Smart]

Hi

In the readme, you mention that environment variables are available to all steps within a job and that we should work to prevent them from being exploited or misused by malicious actions.

Would this issue be negated if the get-secrets action wrote the secrets as outputs rather than environment variables? The secrets wouldn't be automatically available to other steps, but could be passed into them explicitly as required, by the job itself.

From a security point of view, this feels to me like the more secure option; is there another advantage that environment variables have over outputs that would prevent this from being done?

[jbct]

Thanks for the feedback, we'll note this as an enhancement request.

[Olfi01]

PR #36 or #37 implements this (they are equivalent, one contains the compiled files in dist and one doesn't)

[int128]

I really need this feature.
For using a composite action, it would be nice if we can use outputs instead.

When this action is called twice, it causes the following error:

Error: The environment name 'KEY' is already in use. Please use an alias to ensure that each secret has a unique environment name.