version: '3' vars: # Public variable APP_NAME: myapp # Secret variable with value API_KEY: value: "secret-api-key-123" secret: true # Secret variable from shell command PASSWORD: sh: "echo 'my-super-secret-password'" secret: true # Non-secret variable PUBLIC_URL: https://example.com tasks: test-secret-masking: desc: Test that secret variables are masked in logs cmds: - echo "Deploying {{.APP_NAME}} to {{.PUBLIC_URL}}" - echo "Using API key {{.API_KEY}}" - echo "Password is {{.PASSWORD}}" - echo "Public app name is {{.APP_NAME}}" test-multiple-secrets: desc: Test multiple secrets in one command cmds: - echo "API={{.API_KEY}} PWD={{.PASSWORD}}" test-mixed: desc: Test mix of secret and public vars vars: LOCAL_SECRET: value: "task-level-secret" secret: true cmds: - echo "App={{.APP_NAME}} Secret={{.LOCAL_SECRET}} URL={{.PUBLIC_URL}}" test-deferred-secret: desc: Test that deferred commands mask secrets vars: DEFERRED_SECRET: value: "deferred-secret-value" secret: true cmds: - echo "Starting task" - defer: echo "Cleanup with secret={{.DEFERRED_SECRET}} and app={{.APP_NAME}}" - echo "Main command executed" test-dynamic-secret-verbose: desc: Test that dynamic (sh) secrets are masked even in verbose logs cmds: - echo "Password is {{.PASSWORD}}" test-secret-key-order: desc: Test that "secret" may be declared before the value/sh key vars: SECRET_FIRST: secret: true value: "order-independent-secret" SH_SECRET_FIRST: secret: true sh: "echo 'sh-order-independent-secret'" cmds: - echo "Value={{.SECRET_FIRST}} Sh={{.SH_SECRET_FIRST}}" test-env-secret-limitation: desc: Test showing that env vars with secret flag are NOT masked (limitation) env: SECRET_TOKEN: value: "env-secret-token-123" secret: true PUBLIC_ENV: "public-value" cmds: # Templates {{.VAR}} don't work with env - they're empty - echo "Token via template is {{.SECRET_TOKEN}}" # Shell $VAR works but is NOT masked (env vars not in template system) - echo "Token via shell is $SECRET_TOKEN" - echo "Public env is {{.PUBLIC_ENV}}"