The code is public but the secrets are obviously not, and if they are ever put in the logs then that's a security issue. Even if the action isn't logging credentials directly, it may be logging privileged information (e.g. S3 bucket names or contents) that can only be accessed with privileged credentials. Therefore it makes sense to keep the logs private. Maybe there should be a setting for Action owners where they can set logs public if they think it would help contributors.