Description

I understand this is an experimental feature but the log/warning messages to console should not expose secrets or tokens as plain text. If this is execute by scripts or in a CI environment it could potentially expose the secret tokens or end up in historical logs.

when running with:

export TASK_X_REMOTE_TASKFILES=1
task -y my-task

the following output is echoed to terminal:

The task you are attempting to run depends on the remote Taskfile at "https://ghp_<secret>@raw.githubusercontent.com/username/taskfile/main/Taskfile.yml".
--- Make sure you trust the source of this Taskfile before continuing ---
Continue? [assuming yes]

Ideally, sensitive values would be masked in the output. At minimum there needs to be a way to suppress the warning with an environment variable. The -s (--silence) flag doesn't hide this message either; i.e. task -y -s my-task. An environment variable seems the most logical IMO to ensure the flag isn't missed in scripts and would handle exposure at the repo/system level.

Version

3.41.0

Operating system

MacOS

Experiments Enabled

Remote Taskfiles

Example Taskfile

version: "3"

includes:
  git: https://{{.GH_TOKEN}}@raw.githubusercontent.com/username/taskfile/main/Taskfile.yml

tasks:
   my-task:
     cmds:
        - tasks: git