feat: do not log secret variables

2026-06-15 11:51:41 +00:00 · 2025-11-15 21:52:04 +01:00
parent 6e37e3d7a7
commit 8bd982c702
15 changed files with 371 additions and 25 deletions
--- a/task.go
+++ b/task.go
@@ -349,6 +349,8 @@ func (e *Executor) runDeferred(t *ast.Task, call *Call, i int, vars *ast.Vars, d
 		extra["EXIT_CODE"] = fmt.Sprintf("%d", *deferredExitCode)
 	}

+	// Save template before resolving for secret masking in logs
+	cmd.CmdTemplate = cmd.Cmd
 	cmd.Cmd = templater.ReplaceWithExtra(cmd.Cmd, cache, extra)
 	cmd.Task = templater.ReplaceWithExtra(cmd.Task, cache, extra)
 	cmd.If = templater.ReplaceWithExtra(cmd.If, cache, extra)
@@ -393,7 +395,15 @@ func (e *Executor) runCommand(ctx context.Context, t *ast.Task, call *Call, i in
 		}

 		if e.Verbose || (!call.Silent && !cmd.Silent && !t.IsSilent() && !e.Taskfile.Silent && !e.Silent) {
-			e.Logger.Errf(logger.Green, "task: [%s] %s\n", t.Name(), cmd.Cmd)
+			// Get runtime vars for masking
+			varsForMasking, err := e.Compiler.FastGetVariables(t, call)
+			if err != nil {
+				return fmt.Errorf("task: failed to get variables: %w", err)
+			}
+
+			// Mask secret variables in the command template before logging
+			cmdToLog := templater.MaskSecrets(cmd.CmdTemplate, varsForMasking)
+			e.Logger.Errf(logger.Green, "task: [%s] %s\n", t.Name(), cmdToLog)
 		}

 		if e.Dry {
@@ -410,7 +420,7 @@ func (e *Executor) runCommand(ctx context.Context, t *ast.Task, call *Call, i in
 			return fmt.Errorf("task: failed to get variables: %w", err)
 		}
 		stdOut, stdErr, closer := outputWrapper.WrapWriter(e.Stdout, e.Stderr, t.Prefix, outputTemplater)
-
+		
 		err = execext.RunCommand(ctx, &execext.RunCommandOptions{
 			Command:   cmd.Cmd,
 			Dir:       t.Dir,