Secrets are sometimes not filtered from step output

I’m writing a plugin for our org that needs to be able to push to github. To do that I am setting:

git config --global --add "url.https://${githubToken}@github.com/.insteadOf" "https://github.com/"
git config --global --add "url.https://${githubToken}@github.com/.insteadOf" "ssh://git@github.com/"
git config --global --add "url.https://${githubToken}@github.com/.insteadOf" "git@github.com:"
git config --global --add "url.https://${githubToken}@github.com/.insteadOf" "git://github.com/"

To debug that the config was set correctly I added:

git config --global --list
git remote -v

The step output was:

url.https://[the token in the clear]@github.com/.insteadof=https://github.com/
url.https://[the token in the clear]@github.com/.insteadof=ssh://git@github.com/
url.https://[the token in the clear]@github.com/.insteadof=git@github.com:
url.https://[the token in the clear]@github.com/.insteadof=git://github.com/
push.default=simple
origin	https://@github.com/getndazn/test-npm-package (fetch)
origin	https://@github.com/getndazn/test-npm-package (push)

As you can see the remote -v output was correctly filtered but the config --list wasn’t for some reason.

Am I right that this should have been filtered?

Seems pretty bad to me that I can exfiltrate any secret from a job by adding this step to my pipeline:

pipeline:
  exfiltrate:
    image: git
    secrets: [some_secret]
    commands:
      - git config --global 'a-secret' "${SOME_SECRET}"
      - git config --global --list

masking secrets is not something that was added until 0.9 (which is alpha)

Oh, ok. Why are they seemingly omitted from the git remote call?

Oh, ok. Why are they seemingly omitted from the git remote call?

sorry if I am misunderstanding, but you are using 0.8 (I can tell based on your yaml file), and masking secrets in the output was not implemented until version 0.9.