tr " " "\n" causes build secrets with spaces to be treated as multiple arguments, and GitHub Actions does not recognize them as secrets, so they get logged. In this specific example, autogenerated fly.io tokens seem to always contain a space (FlyV1 fm2_<encoded>)
https://github.com/superfly/fly-pr-review-apps/blob/main/entrypoint.sh#L48
As per Matt Braun
The PR that added this feature (#50) shows the intended format is multiline YAML, so the tr command seems to be unnecessary.
reproduction
Note the token is revoked now
+ build_secrets=' --build-secret FLY_API_TOKEN=FlyV1 --build-secret fm2_lJPECAAAAAAAB+lyxBAdJ9PBa0PF4/GDPIhd//G7wrVodHRwczovL2FwaS5mbHkuaW8vdjGWAJLOAA2bCx8Lk7lodHRwczovL2FwaS5mbHkuaW8vYWFhL3YxxDx3N2lWcaqfXE+xssRop4JbE474jI+O9XCeFpBQCxDtLRQ0zkSSaxHL0Q4mAE6l6cDxNMCcxpVkwjDyNwjETmVnHqxqSdsihtIrHSz5YqR0HHgOcg8S75x+rKFKLZS4Z5VgVOogpthCWibzcUrZyiEkjFH+sNTP5clm/dFXSRYLz9yMOHiC0cKcjlSOHw2SlAORgc4AnjW4HwWRgqdidWlsZGVyH6J3Zx8BxCDkyJ38Tdieo4bdarhQ68GziBoZHJyfOM8fSlNa84t5JQ==,fm2_lJPETmVnHqxqSdsihtIrHSz5YqR0HHgOcg8S75x+rKFKLZS4Z5VgVOogpthCWibzcUrZyiEkjFH+sNTP5clm/dFXSRYLz9yMOHiC0cKcjlSOH8QQXRI9k80iVOnWoNUVFrp3S8O5aHR0cHM6Ly9hcGkuZmx5LmlvL2FhYS92MZgEks5o2Ad4zwAAAAEk0CWWF84ADSypCpHOAA0sqQzEEBnReVI1PMn5JicvmFFHyY7EIM/2cOCWMeUpOfOm8za5aDaOTd0BukO4jESjCViEsTLo --build-secret GITHUB_TOKEN=***'
https://github.com/playfulprogramming/playfulprogramming/actions/runs/20882716208/job/60001418749?pr=1472#step:4:63
tr " " "\n"causes build secrets with spaces to be treated as multiple arguments, and GitHub Actions does not recognize them as secrets, so they get logged. In this specific example, autogenerated fly.io tokens seem to always contain a space (FlyV1 fm2_<encoded>)https://github.com/superfly/fly-pr-review-apps/blob/main/entrypoint.sh#L48
As per Matt Braun
reproduction
Note the token is revoked now
https://github.com/playfulprogramming/playfulprogramming/actions/runs/20882716208/job/60001418749?pr=1472#step:4:63