From 445c99e6c4814fc5f4158a78d9290efa226102ec Mon Sep 17 00:00:00 2001
From: Leon Mika <lmika@lmika.org>
Date: Sat, 2 May 2026 10:34:05 +1000
Subject: [PATCH] Mask base64 cert and document add-mask stdout requirement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

DeveloperIDCertBase64 is the .p12 contents and equally sensitive as
the password — register it with the log scrubber so a future code
path that accidentally wraps cfg in a debug log can't leak it. Also
documents why maskSecrets writes to stdout rather than stderr.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cmd/wails-release/main.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cmd/wails-release/main.go b/cmd/wails-release/main.go
index 0ca73fe..9525ec1 100644
--- a/cmd/wails-release/main.go
+++ b/cmd/wails-release/main.go
@@ -189,8 +189,12 @@ func run(ctx context.Context) error {
 	return nil
 }
 
+// maskSecrets registers every credential value with the runner's log
+// scrubber via ::add-mask:: directives. These directives MUST be written
+// to stdout (not stderr) — the runner's command-parser only reads stdout.
 func maskSecrets(c *config.Config) {
 	for _, v := range []string{
+		c.DeveloperIDCertBase64,
 		c.DeveloperIDCertPassword,
 		c.NotarizationAPIKeyBase64,
 		c.NotarizationApplePassword,