resolve bearer token secrets before authentication

[amirejaz]

Summary

Fixes a bug where bearer tokens in CLI format were not being resolved to plain text before being passed to the authentication handler, causing authentication failures.

Problem

When a bearer token was configured without an OAuth client secret, the runner was passing the CLI format string (e.g., "BEARER_TOKEN_posthog-remote-bearer,target=bearer_token") directly to BearerTokenSource instead of resolving it to the actual token value first.

This occurred because WithSecrets() (which resolves CLI format secrets to plain text) was only called when ClientSecret was present, not when only BearerToken was configured.

Root Cause

In pkg/runner/runner.go, the condition on line 169 only checked for ClientSecret:

hasRemoteAuthSecret := r.Config.RemoteAuthConfig != nil && r.Config.RemoteAuthConfig.ClientSecret != ""

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.50%. Comparing base (35ac572) to head (579c7a6).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/runner/runner.go	33.33%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3259      +/-   ##
==========================================
- Coverage   63.54%   63.50%   -0.05%     
==========================================
  Files         355      356       +1     
  Lines       35058    35097      +39     
==========================================
+ Hits        22279    22288       +9     
- Misses      10978    11005      +27     
- Partials     1801     1804       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.