Returned token should be declared secret

[segiddins]

Before setting the output and env var, the token should be marked as a secret to avoid leaking it in output

[salekseev]

I believe GitHub Actions mask tokens automatically in logs per https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#redacting-secrets-from-workflow-run-logs