Make Secret Masking Optional through new secrets:mask configuration

Proposal

Currently, all secrets are masked in the job output. We often have configuration that is not sensitive, but we use Vault to store it since it's the only place we can store mutable information. Therefore, having "secrets" be optionally not masked would be very helpful.

For example, the situation today:

myjob:
  secrets:
    SERVICE_URL:
      vault: "ci/service/url"
      file: false
   script:
    - |
      # shellcheck shell=bash
      set -euo pipefail
      echo "SERVICE_URL: ${SERVICE_URL}"

will output:

SERVICE_URL: [MASKED]

I propose to make masking optional through the addition of a new YAML option, secrets:masked, with a default value of true (which mirrors how the secrets:file option was added in a backwards compatible fashion).

With this option set, the secret wouldn't be masked: For example:

myjob:
  secrets:
    SERVICE_URL:
      vault: "ci/service/url"
      file: false
      masked: false
   script:
    - |
      # shellcheck shell=bash
      set -euo pipefail
      echo "SERVICE_URL: ${SERVICE_URL}"

will output:

SERVICE_URL: https://example.com

Our use case is that we want to output a link to a service URL, but since the URL is secret, it's masked and the user can't see it to go to it. Our workaround is to hardcode the URL in the YAML, but that requires a commit and release for each change of the URL, which is very problematic.