It’s surprisingly tricky, if you want to work with env variables.
After some clumsiness around exec-env I settle down on this snippet:
- name: Add secrets run: | echo "::add-mask::$(sops exec-file secrets.env…