fix: prevent secret variable leaks in summary, verbose and key ordering

- mask secret values in `task --summary` (commands and vars listing)
- mask resolved value of dynamic (sh) secrets in verbose logs
- use masked command for platform-skipped verbose log
- allow `secret` key in any position in a var definition (not only first)
- add `value` to the JSON schema var definition
- skip masking pass when no secret is present and dedup mask helpers
- document that the `secret` flag is not propagated to derived variables
This commit is contained in:
Valentin Maerten
2026-06-29 12:36:56 +02:00
parent 8545e02e5e
commit da90ecd083
12 changed files with 175 additions and 60 deletions

View File

@@ -390,7 +390,7 @@ func (e *Executor) runCommand(ctx context.Context, t *ast.Task, call *Call, i in
return err
case cmd.Cmd != "":
if !shouldRunOnCurrentPlatform(cmd.Platforms) {
e.Logger.VerboseOutf(logger.Yellow, "task: [%s] %s not for current platform - ignored\n", t.Name(), cmd.Cmd)
e.Logger.VerboseOutf(logger.Yellow, "task: [%s] %s not for current platform - ignored\n", t.Name(), cmd.LogCmd)
return nil
}