From 162f616b5a866ebb6cdbbe548cf230a4af9ea012 Mon Sep 17 00:00:00 2001
From: Valentin Maerten <maerten.valentin@gmail.com>
Date: Thu, 20 Nov 2025 19:40:53 +0100
Subject: [PATCH] add env example

---
 executor_test.go                                   |  8 ++++++++
 testdata/secrets/Taskfile.yml                      | 14 ++++++++++++++
 .../TestSecretVars-env_secret_limitation.golden    |  6 ++++++
 3 files changed, 28 insertions(+)
 create mode 100644 testdata/secrets/testdata/TestSecretVars-env_secret_limitation.golden

diff --git a/executor_test.go b/executor_test.go
index 17fc1c77..6af25356 100644
--- a/executor_test.go
+++ b/executor_test.go
@@ -295,6 +295,14 @@ func TestSecretVars(t *testing.T) {
 		),
 		WithTask("test-deferred-secret"),
 	)
+	NewExecutorTest(t,
+		WithName("env secret limitation"),
+		WithExecutorOptions(
+			task.WithDir("testdata/secrets"),
+		),
+		WithTask("test-env-secret-limitation"),
+	)
+
 }
 
 func TestRequires(t *testing.T) {
diff --git a/testdata/secrets/Taskfile.yml b/testdata/secrets/Taskfile.yml
index b2a41a61..ea65c3d9 100644
--- a/testdata/secrets/Taskfile.yml
+++ b/testdata/secrets/Taskfile.yml
@@ -50,3 +50,17 @@ tasks:
       - echo "Starting task"
       - defer: echo "Cleanup with secret={{.DEFERRED_SECRET}} and app={{.APP_NAME}}"
       - echo "Main command executed"
+
+  test-env-secret-limitation:
+    desc: Test showing that env vars with secret flag are NOT masked (limitation)
+    env:
+      SECRET_TOKEN:
+        value: "env-secret-token-123"
+        secret: true  # This flag does NOT work for env vars!
+      PUBLIC_ENV: "public-value"
+    cmds:
+      # Templates {{.VAR}} don't work with env - they're empty
+      - echo "Token via template is {{.SECRET_TOKEN}}"
+      # Shell $VAR works but is NOT masked (env vars not in template system)
+      - echo "Token via shell is $SECRET_TOKEN"
+      - echo "Public env is {{.PUBLIC_ENV}}"
diff --git a/testdata/secrets/testdata/TestSecretVars-env_secret_limitation.golden b/testdata/secrets/testdata/TestSecretVars-env_secret_limitation.golden
new file mode 100644
index 00000000..3c015fa3
--- /dev/null
+++ b/testdata/secrets/testdata/TestSecretVars-env_secret_limitation.golden
@@ -0,0 +1,6 @@
+task: [test-env-secret-limitation] echo "Token via template is "
+Token via template is 
+task: [test-env-secret-limitation] echo "Token via shell is $SECRET_TOKEN"
+Token via shell is env-secret-token-123
+task: [test-env-secret-limitation] echo "Public env is "
+Public env is