Yes, just prints to the build log, so the risk is higher for public repos. Lot of public repos have creds printed in their build logs due to this compromised action.