deepujain opened a new pull request, #64016: URL: https://github.com/apache/airflow/pull/64016
## Summary `reset_secrets_masker()` in `supervise()` clears **all** patterns from the SDK secrets masker — including config-level secrets (`webserver.secret_key`, `api.secret_key`, `api_auth.jwt_secret`) that were registered at startup by `conf.mask_secrets()`. After the reset, these secrets appear in plaintext in task subprocess logs when printed via `print()` or `structlog`. The fix calls `conf.mask_secrets()` immediately after `reset_secrets_masker()` to re-register config-level secrets before the task subprocess is forked. ## Changes - **`task-sdk/src/airflow/sdk/execution_time/supervisor.py`** — After `reset_secrets_masker()`, conditionally call `conf.mask_secrets()` when `airflow.configuration` is loaded (always true for worker-spawned supervisors) to re-register config secrets in the SDK masker. - **`task-sdk/tests/task_sdk/execution_time/test_supervisor.py`** — Regression test verifying that config secrets are re-masked after `reset_secrets_masker()` + `conf.mask_secrets()`. ## Test plan - [x] Added regression test `test_supervise_remasks_config_secrets_after_reset` - [ ] CI passes (ruff, mypy, pytest) Fixes #63921 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
