[spectre256]

Wouldn't this be an unwinnable battle? If you can't print out the whole secret, you can print out each half of it, or one character at a time, each on a different line.

There's probably no way around the reality that users who have the ability to run arbitrary code on the CI server have access to the secrets.

[benatkin]

Yeah. Maybe I shouldn't have suggested scrubbing base64'd secrets. What I have in mind is a usability feature, making it so users can't accidentally print out a secret that they're not supposed to print out.

[spectre256]

I would have to admit that's useful as I've accidentally printed a secret key or two to publicly accessible jobs on TravisCI, and then had to scramble to rotate them :)