Skip to content

fix(helpers): mask credentials in git URL debug logs#1445

Merged
codejedi365 merged 2 commits into
python-semantic-release:masterfrom
snoopuppy582:fix-mask-git-url-log-1426
Jul 4, 2026
Merged

fix(helpers): mask credentials in git URL debug logs#1445
codejedi365 merged 2 commits into
python-semantic-release:masterfrom
snoopuppy582:fix-mask-git-url-log-1426

Conversation

@snoopuppy582

Copy link
Copy Markdown
Contributor

Purpose

Fixes #1426 by preventing credentials embedded in HTTPS git remotes from being written to debug logs when parse_git_url() starts parsing a URL.

Rationale

The parser should still receive and return the original URL data, but the log message does not need to include userinfo from the URL netloc. This changes only the value passed to the debug log call, replacing any user[:password]@host section with <credentials>@host while leaving parsing behavior unchanged.

How did you test?

  • Added a focused unit test that parses a remote like https://x-oauth-basic:<token>@github.example.com/owner/project.git, confirms parsing still succeeds, and confirms the token/username are absent from captured logs.
  • Ran python -m pytest tests/unit/semantic_release/test_helpers.py -q.
  • Ran ruff check src/semantic_release/helpers.py tests/unit/semantic_release/test_helpers.py.
  • Ran ruff format --check src/semantic_release/helpers.py tests/unit/semantic_release/test_helpers.py.

How to Verify

  1. Run python -m pytest tests/unit/semantic_release/test_helpers.py -q.
  2. Optionally run semantic-release with -vv against an HTTPS remote containing userinfo and confirm the Parsing git url debug line shows <credentials>@host instead of the raw credential-bearing URL.

PR Completion Checklist

  • Reviewed & followed the Contributor Guidelines

  • Changes Implemented & Validation pipeline succeeds

    • Targeted local validation passed; full validation pipeline was not run locally.
  • Commits follow the Conventional Commits standard
    and are separated into the proper commit type and scope (recommended order: test, build, feat/fix, docs)

  • Appropriate Unit tests added/updated

  • Appropriate End-to-End tests added/updated

    • Not applicable; this is covered by a unit-level logging regression test.
  • Appropriate Documentation added/updated and syntax validated for sphinx build (see Contributor Guidelines)

    • Not applicable; no documentation changed.

@codejedi365 codejedi365 force-pushed the fix-mask-git-url-log-1426 branch from 03d150c to 5412473 Compare July 3, 2026 18:46
@codejedi365 codejedi365 force-pushed the fix-mask-git-url-log-1426 branch from 5412473 to c330284 Compare July 4, 2026 01:51
@codejedi365 codejedi365 merged commit 811afb0 into python-semantic-release:master Jul 4, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

GitHub credentials are logged with -vv verbose logging

2 participants