add env-var-template-variables option

[tjenkinson]

wip

[jetersen]

I don't think this makes sense as you could potentially extract secrets.

[tjenkinson]

Hi did you see #847 (comment) ?

[jetersen]

I did but the potential is still there and not everybody has configured their branch with branch protection and etc.
Even the potential for a bad actor that gets access to a GitHub account and can suddenly extract all org secrets that are available for a repo or repo secrets.
Basically this is just a big NO NO.

[tjenkinson]

I understand the concern about leaking secrets, and how bad that could be if it happened.

I think protection like this is too high level though.

If a user can can get a config change into the main branch, they could also get a change in to add a new line to an action config to log the secrets anyway. Any protection at this level is essentially redundant, given there are simpler ways to get the secrets.

[jetersen]

There are already protection for logging secrets so that is less likely.
Of course they could setup a server and send the secrets to it.
I just don't think ENV is the right way.

If you want further customization you could potentially use the action output body and then use something as simple as envsubst inside your action.

I don't want to support this use case. In your workflow you can add any steps to achieve this.

Also I think there is a limit to how many features we want to support.
Just because you can, does not mean you should add all features.