diff --git a/action.yml b/action.yml
index 1249ab7..09e5526 100644
--- a/action.yml
+++ b/action.yml
@@ -105,6 +105,18 @@ inputs:
     default: ""
     required: false
 
+  debug_log_github_context:
+    description: "Log github.context as JSON for debugging purposes"
+    default: "false"
+
+  debug_log_auth_json:
+    description: "WARNING: may leak credentials to logs. Log docker auth.json contents for debugging purposes"
+    default: "false"
+
+  debug_log_destinations:
+    description: "Log docker build destinations for debugging purposes"
+    default: "true"
+
 outputs:
   published_tags:
     description: "Published tags as csv"
diff --git a/dist/index.js b/dist/index.js
index fd365d3..dccc722 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -61788,11 +61788,6 @@ function collect_git(debug = false, output = false) {
 
 
 function collect_all(debug = false, output = false) {
-
-  if (debug) {
-    console.log(JSON.stringify(lib_github.context, null, 2));
-  }
-
   return {
     ...collect_ci(debug, output),
     ...collect_git(debug, output)
@@ -62168,6 +62163,29 @@ function mergeArgRegistryAuthJson(registryAuthJson) {
 
 function writeRegistryAuthJson(registryAuthJson, targetFile) {
   external_fs_.mkdirSync(external_path_.dirname(targetFile), {recursive: true});
+  const jsonContents = JSON.stringify(registryAuthJson, null, 2);
+
+  // create and log a censored copy if enabled
+  if (core.getBooleanInput('debug_log_auth_json')) {
+    const copy = JSON.parse(jsonContents);
+    for (const registry in copy.auths) {
+      if (copy.auths.hasOwnProperty(registry)) {
+        let credentials = copy.auths[registry].auth;
+        if (credentials != null) {
+          // truncate credentials to avoid leaking sensitive information
+          if (credentials.length > 16) {
+            credentials = credentials.substr(0, 16) + '...';
+          }
+          else {
+            credentials = '***censored***';
+          }
+          copy.auths[registry].auth = credentials;
+        }
+      }
+    }
+    console.log('debug_log_auth_json:', copy);
+  }
+
   external_fs_.writeFileSync(targetFile, JSON.stringify(registryAuthJson, null, 2));
 }
 
@@ -62356,6 +62374,10 @@ function lib_isTrueString(str) {
 
 
 try {
+  if (lib_isTrueString(core.getBooleanInput('debug_log_github_context'))) {
+    console.log(JSON.stringify(github.context, null, 2));
+  }
+
   const information = collect_all(true, false);
 
   const debug = lib_isTrueString(process.env['ACTIONS_STEP_DEBUG']);
@@ -62381,7 +62403,7 @@ try {
   }
 
   const destinations = prepareDestinations(targetRegistries, tags);
-  if (debug) {
+  if (debug || core.getBooleanInput('debug_log_destinations')) {
     console.log('destinations:', JSON.stringify(destinations, null, 2));
   }
 
diff --git a/src/action.js b/src/action.js
index 8053a45..aa9ee10 100644
--- a/src/action.js
+++ b/src/action.js
@@ -15,6 +15,10 @@ import {
 
 
 try {
+  if (isTrueString(core.getBooleanInput('debug_log_github_context'))) {
+    console.log(JSON.stringify(github.context, null, 2));
+  }
+
   const information = action_information.collect_all(true, false);
 
   const debug = isTrueString(process.env['ACTIONS_STEP_DEBUG']);
@@ -40,7 +44,7 @@ try {
   }
 
   const destinations = prepareDestinations(targetRegistries, tags);
-  if (debug) {
+  if (debug || core.getBooleanInput('debug_log_destinations')) {
     console.log('destinations:', JSON.stringify(destinations, null, 2));
   }
 
diff --git a/src/lib.js b/src/lib.js
index ff0e4bd..9d61c41 100644
--- a/src/lib.js
+++ b/src/lib.js
@@ -61,6 +61,29 @@ export function mergeArgRegistryAuthJson(registryAuthJson) {
 
 export function writeRegistryAuthJson(registryAuthJson, targetFile) {
   fs.mkdirSync(path.dirname(targetFile), {recursive: true});
+  const jsonContents = JSON.stringify(registryAuthJson, null, 2);
+
+  // create and log a censored copy if enabled
+  if (core.getBooleanInput('debug_log_auth_json')) {
+    const copy = JSON.parse(jsonContents);
+    for (const registry in copy.auths) {
+      if (copy.auths.hasOwnProperty(registry)) {
+        let credentials = copy.auths[registry].auth;
+        if (credentials != null) {
+          // truncate credentials to avoid leaking sensitive information
+          if (credentials.length > 16) {
+            credentials = credentials.substr(0, 16) + '...';
+          }
+          else {
+            credentials = '***censored***';
+          }
+          copy.auths[registry].auth = credentials;
+        }
+      }
+    }
+    console.log('debug_log_auth_json:', copy);
+  }
+
   fs.writeFileSync(targetFile, JSON.stringify(registryAuthJson, null, 2));
 }