I am using GitHub Actions to run some test scripts and then push a report as an artifact which is published via GitHub Pages.
GitHub obfuscates secrets in logs, however the test report would show the secrets.
I would like to either warn if this report HTML contains a GH secret, or obfuscate it before publishing.
I have researched SO questions and GH Actions but cannot find a solution.
GitHub has features such as secret scanning with push protection, but they are designed to find secrets in source code. Your case is a bit different in that the secret might be leaked from GitHub Actions.
How about scanning your files with Gitleaks before uploading the artifact? It even comes with a GitHub Action.
Usage would look something like this:
If Gitleaks finds a secret, the workflow would stop. There are more options, and using it in an organization requires a license (free for one repo, paid for more than one repo).