Dump the config for debugging but with secrets redacted #150
Description
As a follow-up for a discussion at #143 (comment).
Why? It is helpful for debugging when the users show their logs with their configs. However, configs contain database passwords, which should be printed.
Problem 1: Printing the configs with passwords to stdout/stderr is considered a security leak in some organizations, which requires changing the leaked passwords and reporting a security incident — e.g. if data-diff is executed in a remote environment (Docker containers, Kubernetes Jobs/Pods, etc).
Problem 2: With the realistic database tests from #112, the passwords should have been defined as GitHub Actions Sections. GitHub automatically redacts the secrets if/when it can detect them, but still recommends that we do not print them in the first place:
Goal:
- Print/log the used config with all secrets redacted both from the config keys and from URI.
Notes:
A malicious contributor can simply print() them (with modifications to work around GitHub's redacting) — but GitHub usually requires clicking a button for external (non-trusted) contributors before running the Actions — at least some protection.