Imported Completed email shows the password used to access the remote repo

Summary

3 weeks after setting up a repo to do a pull mirror of https://github.com/nia-medtech/expo-server-sdk-java.git, I got 9 confirmation emails that it worked and they all had my credentials used to access the GH repo in both the email subject and body.

Steps to reproduce

Create a new, empty repo in GitLab
Add a pull mirror of https://github.com/nia-medtech/expo-server-sdk-java.git

Example Project

https://gitlab.com/trueblue1/peoplemanagement/stafftrack/expo-server-sdk-java

What is the current bug behavior?

The 9 emails were generated with the full URL including the basic auth info, specifically in the form of Dec 3, 2024 4:59...08:00

Subject:
Expo Server SDK Java | Import from https://caclark%40trueblue.com:MYREALPASSWORD@github.com/nia-medtech/expo-server-sdk-java.git completed

Body:
Import completed

The import you started on November 14, 2024 from https://caclark%40trueblue.com:MYREALPASSWORD@github.com/nia-medtech/expo-server-sdk-java.git [github.com] has completed. You can now review your import results.

What is the expected correct behavior?

For it to not include my credentials in the URL in either the subject or body of the email.

Also, I only need 1 email...not 9.

Relevant logs and/or screenshots

none

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

@clarktrip1

https://gitlab.com/trueblue1/peoplemanagement/stafftrack/expo-server-sdk-java

Results of GitLab application Check

Possible fixes

Edited Dec 03, 2024 by Cary Clark