The action uses ::add:mask:: to mask the input adminkey but this ends up logging the key, becuase there's no way in a composite action to mask values pulled from input within the action itself.

Best to remove that step and document that the caller should mask the key.

Usually this is not an issue because the key comes from GitHub secrets so it is automatically masked, but if the key came from an input on a workflow dispatch the value will be exposed.

See actions/runner#475 (comment)