Bug Report
Description
Running semantic-release with -vv verbose logging dumps the credentials from the github URL, here I scrubbed it manually:
Feb 4, 2:33:27 PM DEBUG Parsing git url helpers.py:245
Feb 4, 2:33:27 PM 'https://x-oauth-basic:xxx@github.ibm.com/IBM-Q-Softw
Feb 4, 2:33:27 PM are/job-prediction-service'
The issue template asks you to run with -vv and now we have credentials leaked into our CI logs.
Expected behavior
Credentials should be masked in log output.
Actual behavior
Credentials are leaked in verbose output.
Environment
- Operating System (w/ version): Red Hat UBI
- Python version: 3.11
- Pip version: 25.3
- Semantic-release version: 10.5.3
- Build tool (w/ version): n/a
pip freeze
Deprecated-1.3.1 MarkupSafe-3.0.3 annotated-types-0.7.0 certifi-2026.1.4 charset_normalizer-3.4.4 click-8.1.8 click-option-group-0.5.9 dotty-dict-1.3.1 gitdb-4.0.12 gitpython-3.1.46 idna-3.11 importlib-resources-6.5.2 jinja2-3.1.6 markdown-it-py-4.0.0 mdurl-0.1.2 pydantic-2.12.5 pydantic-core-2.41.5 pygments-2.19.2 python-gitlab-6.5.0 python-semantic-release-10.5.3 requests-2.32.5 requests-toolbelt-1.0.0 rich-14.3.1 shellingham-1.5.4 smmap-5.0.2 tomlkit-0.13.3 typing-extensions-4.15.0 typing-inspection-0.4.2 urllib3-2.6.3 wrapt-2.0.1
Configuration
Semantic Release Configuration
{
"semantic_release": {
"assets": [],
"branches": {
"main": {
"match": "^(main|semantic-release)$",
"prerelease_token": "rc",
"prerelease": false
}
},
"changelog": {
"default_templates":{
"changelog_file": "CHANGELOG.md"
},
"exclude_commit_patterns": [
"^((?!(feat:|fix:|perf:|build:|chore:|ci:|docs:|style:|refactor:|test:)).)*$"
],
"environment": {
"block_start_string": "{%",
"block_end_string": "%}",
"variable_start_string": "{{",
"variable_end_string": "}}",
"comment_start_string": "{#",
"comment_end_string": "#}",
"trim_blocks": false,
"lstrip_blocks": false,
"newline_sequence": "\n",
"keep_trailing_newline": false,
"extensions": [],
"autoescape": true
}
},
"commit_author": {
"env": "GIT_COMMIT_AUTHOR",
"default": "semantic-release <semantic-release>"
},
"commit_message": "[skip ci] {version}\n\nAutomatically generated by python-semantic-release",
"commit_parser": "conventional",
"logging_use_named_masks": false,
"major_on_zero": true,
"remote": {
"name": "origin",
"token": {
"env": "GH_TOKEN"
},
"type": "github",
"ignore_token_for_push": false
},
"tag_format": "v{version}",
"version_variables": [
"api/version.py:__version__",
"ci/deployment/k8s/api/Chart.yaml:appVersion",
"ci/deployment/k8s/workers/Chart.yaml:appVersion"
],
"publish": {
"dist_glob_patterns": ["dist/*"],
"upload_to_vcs_release": true
}
}
}
Execution Log
It's in #1424 (I split this issue out of that).
Additional context
n/a
Bug Report
Description
Running semantic-release with
-vvverbose logging dumps the credentials from the github URL, here I scrubbed it manually:The issue template asks you to run with
-vvand now we have credentials leaked into our CI logs.Expected behavior
Credentials should be masked in log output.
Actual behavior
Credentials are leaked in verbose output.
Environment
pip freezeConfiguration
Semantic Release Configuration
{ "semantic_release": { "assets": [], "branches": { "main": { "match": "^(main|semantic-release)$", "prerelease_token": "rc", "prerelease": false } }, "changelog": { "default_templates":{ "changelog_file": "CHANGELOG.md" }, "exclude_commit_patterns": [ "^((?!(feat:|fix:|perf:|build:|chore:|ci:|docs:|style:|refactor:|test:)).)*$" ], "environment": { "block_start_string": "{%", "block_end_string": "%}", "variable_start_string": "{{", "variable_end_string": "}}", "comment_start_string": "{#", "comment_end_string": "#}", "trim_blocks": false, "lstrip_blocks": false, "newline_sequence": "\n", "keep_trailing_newline": false, "extensions": [], "autoescape": true } }, "commit_author": { "env": "GIT_COMMIT_AUTHOR", "default": "semantic-release <semantic-release>" }, "commit_message": "[skip ci] {version}\n\nAutomatically generated by python-semantic-release", "commit_parser": "conventional", "logging_use_named_masks": false, "major_on_zero": true, "remote": { "name": "origin", "token": { "env": "GH_TOKEN" }, "type": "github", "ignore_token_for_push": false }, "tag_format": "v{version}", "version_variables": [ "api/version.py:__version__", "ci/deployment/k8s/api/Chart.yaml:appVersion", "ci/deployment/k8s/workers/Chart.yaml:appVersion" ], "publish": { "dist_glob_patterns": ["dist/*"], "upload_to_vcs_release": true } } }Execution Log
It's in #1424 (I split this issue out of that).
Additional context
n/a