refactor: compute masked command at compile time

Move secret masking from runtime (task.go) to compile time (variables.go). This avoids recalculating variables on each log. - Add MaskSecretsWithExtra for loop vars and deferred commands - Rename CmdTemplate to LogCmd (clearer intent) - Simplify logging in runCommand
2026-06-25 13:46:13 +00:00 · 2026-02-01 16:32:07 +01:00
parent ffbb9781c2
commit 32f237af7d
4 changed files with 42 additions and 14 deletions
--- a/internal/templater/secrets.go
+++ b/internal/templater/secrets.go
@@ -35,3 +35,36 @@ func MaskSecrets(cmdTemplate string, vars *ast.Vars) string {

 	return result
 }
+
+// MaskSecretsWithExtra is like MaskSecrets but also resolves extra variables (e.g., loop vars).
+func MaskSecretsWithExtra(cmdTemplate string, vars *ast.Vars, extra map[string]any) string {
+	if vars == nil || vars.Len() == 0 {
+		// Still need to resolve extra vars even if no vars
+		cache := &Cache{Vars: ast.NewVars()}
+		result := ReplaceWithExtra(cmdTemplate, cache, extra)
+		if cache.Err() != nil {
+			return cmdTemplate
+		}
+		return result
+	}
+
+	// Create a cache map with secrets masked
+	maskedVars := vars.DeepCopy()
+	for name, v := range maskedVars.All() {
+		if v.Secret {
+			maskedVars.Set(name, ast.Var{
+				Value:  "*****",
+				Secret: true,
+			})
+		}
+	}
+
+	cache := &Cache{Vars: maskedVars}
+	result := ReplaceWithExtra(cmdTemplate, cache, extra)
+
+	if cache.Err() != nil {
+		return cmdTemplate
+	}
+
+	return result
+}