Add explicit token masking in CI template git config step #10
Description
Overview
File: `templates/github/workflows/ci.skeleton.yaml` lines 61-67 (and duplicated at 170-177, 269-276)
The PAT token is embedded into git's global config via URL rewriting. While GitHub Actions masks `${{ secrets.* }}` values in direct log output, the concatenated URL form `https://x-access-token:ghp_...@github.com/\` may not be masked if git debug output prints a substring or encoded form.
Risk
If ANY subsequent step triggers git debug logging (`GIT_TRACE=1`, `git config --list`, verbose git operations), the PAT could leak in CI logs. For a personal access token (not scoped `GITHUB_TOKEN`), this grants repository-wide access.
Fix
Add `::add-mask::` before the config:
- name: Configure Git for HTTPS with Token
shell: bash
run: |
TOKEN="\${{ secrets.PAT_SECRET || secrets.GITHUB_TOKEN }}"
echo "::add-mask::\${TOKEN}"
git config --global url."https://x-access-token:\${TOKEN}@github.com/".insteadOf "git@github.com:"
# ... rest of configAcceptance Criteria
- `::add-mask::` added to all git config steps in template
- All 3 locations in skeleton updated (single-platform, multi-platform analyze, multi-platform test)
- Consumer workflows regenerated