Remove tokens from manifest before rendering to file
This breaks some of the manifest purpose, as with this change you cannot replicate a build with just its manifest. But we never use that at GitLab anyways.
This is a quick fix to keep tokens out of the manifest. The fetchers don't use to_hash
on the manifests, but rather call the locked_sources
directly. So fetching still works, but anything that tries to output the manifest will have the tokens stripped.
A proper upstreamable fix would likely need more thought. (Maybe just an option to turn off the default manifest output, and we can build our own replacement in our existing version-manifest software piece).
Edited by DJ Mountney