feat: add a "mask" param to hide secrets from http_url

[irealva]

Adds the ability to mask the http_url string to hide secrets with an optional mask parameter. This problem was reported in this discussion.

Provides a way to do so with two options:

Option 1: use a string boolean

mask: true # removes the source entirely from the commit message, defaults to false

Option 2: use a string array with each secret to mask

mask: '["${{ secrets.SECRET1 }}", "${{ secrets.SECRET2 }}"]'

What I tried before landing on this solution:

The zod library for configuring the yaml schema provides support for different types of inputs doing something like: z.union([z.string(), z.boolean()]). So I initially tried to support both types of inputs. The problem is that we use getInput on the action and it always returns a string. We'd have to know "a priori" whether a user is inputting a boolean or string type which doesn't seem possible in order to choose between getInput and getBooleanInput .

This solution might not be the most elegant but it provides flexibility.