Mask base64 cert and document add-mask stdout requirement

DeveloperIDCertBase64 is the .p12 contents and equally sensitive as the password — register it with the log scrubber so a future code path that accidentally wraps cfg in a debug log can't leak it. Also documents why maskSecrets writes to stdout rather than stderr. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 10:34:05 +10:00 · 2026-05-02 10:34:05 +10:00 · 445c99e6c4
parent 97fb47d023
commit 445c99e6c4
1 changed files with 4 additions and 0 deletions
--- a/cmd/wails-release/main.go
+++ b/cmd/wails-release/main.go
@ -189,8 +189,12 @@ func run(ctx context.Context) error {
 	return nil
 }

+// maskSecrets registers every credential value with the runner's log
+// scrubber via ::add-mask:: directives. These directives MUST be written
+// to stdout (not stderr) — the runner's command-parser only reads stdout.
 func maskSecrets(c *config.Config) {
 	for _, v := range []string{
+		c.DeveloperIDCertBase64,
 		c.DeveloperIDCertPassword,
 		c.NotarizationAPIKeyBase64,
 		c.NotarizationApplePassword,