sops_encrypt: mark parameters containing secrets with no_log=True

[felixfontein]

More fallout from ansible/ansible#73508.

We should release this as 1.0.4 ASAP.

[codecov]

Codecov Report

Merging #54 (5b11a9a) into main (4fc784c) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main      #54   +/-   ##
=======================================
  Coverage   62.44%   62.44%           
=======================================
  Files           8        8           
  Lines         900      900           
  Branches      201      201           
=======================================
  Hits          562      562           
  Misses        260      260           
  Partials       78       78           

Impacted Files	Coverage Δ
plugins/module_utils/sops.py	86.53% <ø> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4fc784c...fddba4f. Read the comment docs.

[tadeboro]

Looks good. Not 100% sure why we should hide the threshold value, but that is probably because I do not know enough about crypto stuff.

[felixfontein]

@tadeboro the Shamir threshold value says how many keys are needed to decrypt a secret. That's part of the algorithm configuration, and definitely does not need to be secret. It's also stored directly in the metadata of an encrypted file (https://github.com/mozilla/sops/blob/develop/sops.go#L485).

[felixfontein]

Ah, sorry, I misread you. We don't hide it, I set no_log=False to explicitly mark it as "this is not secret", as ansible/ansible#73508 will report it because of "secret" in the name :)

[felixfontein]

@tadeboro thanks for reviewing this!
@endorama I'll create a new release for this later today

[tadeboro]

Ugh, that was my bad. I did not notice that you are silencing the false positive.