From 8df8b2ac7d1c88461fa4b28740d56cd9fe5db2cb Mon Sep 17 00:00:00 2001
From: Floris van der Grinten <floris.vandergrinten@agilebits.com>
Date: Thu, 27 May 2021 14:45:33 +0200
Subject: [PATCH] Move note on masking into separate section

---
 README.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 0caec93..fc3574c 100644
--- a/README.md
+++ b/README.md
@@ -4,9 +4,6 @@ The action to load secrets from [1Password Connect](https://1password.com/secret
 
 Specify right from your workflow YAML which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
 
-Just like regular GitHub repository secrets, every secret from 1Password will automatically be masked from the GitHub Actions logs too.
-So if they accidentally get printed, they'll get replaced with `***`.
-
 ## Usage
 
 ```yml
@@ -108,6 +105,13 @@ So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be
   * **Section:** default section
   * **Field:** `secret-access-key`
 
+## Masking
+
+Just like regular GitHub repository secrets, secrets loaded from 1Password will automatically be masked from the GitHub Actions logs too.
+If they accidentally get printed, they'll get replaced with `***`.
+
+To avoid unnecessary masks (like a username field), masks are only applied on fields marked as concealed (which show as `•••••` in the 1Password GUI) and on secure notes.
+
 ## Supported Runners
 
 You can run the action on Linux and macOS runners. Windows is currently not supported.