quality of life: when duplicate a job, don't redact environment variables in task if it inherit from input

[v36372]

Hi, when I duplicate a job, the task environment variables that are matched with secret pattern will be replaced its value with "[REDACTED]", even if it only inherit the value from inputs

For example:

name: Example
inputs:
  SECRET: 12345
tasks:
  - name: Example
    run: |
      echo "hello world"
    image: python:3-slim
    env:
      SECRET: "{{ inputs.SECRET }}"

When duplicating this job, it's definition become

name: Example
inputs:
  SECRET: "[REDACTED]"
tasks:
  - name: Example
    run: |
      echo "hello world"
    image: python:3-slim
    env:
      SECRET: "[REDACTED]"

The second redaction is unnecessary.

[runabol]

This is due to your environment variable named SECRET. A quick fix would be to rename it to something else. That being said, I do plan on adding a top level job secrets construct to house all secrets, so I never have to redact anything within the job but only that section.

[v36372]

My intention is to redact everything. I have the secret pattern config like this:

[middleware.job.redact]
enabled = true
patterns = ["*"]

But that is not relevant to the point I'm making. I'm just proposing that maybe don't redact the variables whose value is inherited from inputs, because it's not the actual content anyway.

[runabol]

Parsing the value has too many edge cases. Example:

{{inputs.not_a_secret}}/actual_secret

So if I don't redact this it will have the secret in the clear.

That's why I'm thinking of adding a new secrets construct that will be more explicit.