fix(android): Mask auth token in sentry.gradle upload-task log (#6057)

antonis · claude · web-flow · commit 1b1809a4b908 · 2026-04-28T12:23:14.000Z
* fix(android): Mask auth token in sentry.gradle upload-task log

The upload task logged its full sentry-cli argument list at the gradle
lifecycle log level, which is the default verbosity. When flavorAware
is enabled the args include `--auth-token &lt;token&gt;`, exposing it in CI
build logs and developer terminal scrollback. Replace the token value
with `***` in the logged copy of the args; the actual command-line
invocation is unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;

* Update changelog

---------

Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@
 ### Fixes
 
 - Stop the Hermes sampling profiler on React instance teardown to prevent `pthread_kill` SIGABRT when the JS thread is torn down with profiling active ([#6035](https://github.com/getsentry/sentry-react-native/pull/6035))
+- Mask the Sentry auth token in the `sentry.gradle` upload-task lifecycle log ([#6057](https://github.com/getsentry/sentry-react-native/pull/6057))
 - Discard invalid navigation/interaction transactions via an event processor instead of mutating the internal `_sampled` flag, removing misleading "dropped due to sampling" debug logs ([#6051](https://github.com/getsentry/sentry-react-native/pull/6051))
 
 ### Dependencies
diff --git a/packages/core/sentry.gradle b/packages/core/sentry.gradle
@@ -269,7 +269,9 @@ plugins.withId('com.android.application') {
 
                                 args.addAll(extraArgs)
 
-                                project.logger.lifecycle("Sentry-CLI arguments: ${args}")
+                                // Mask sentryAuthToken in the logged args; do not pass loggedArgs to the CLI.
+                                def loggedArgs = sentryAuthToken ? args.collect { it == sentryAuthToken ? "***" : it } : args
+                                project.logger.lifecycle("Sentry-CLI arguments: ${loggedArgs}")
                                 def osCompatibility = Os.isFamily(Os.FAMILY_WINDOWS) ? ['cmd', '/c', 'node'] : []
                                 if (!System.getenv('SENTRY_DOTENV_PATH') && file("$reactRoot/.env.sentry-build-plugin").exists()) {
                                     environment('SENTRY_DOTENV_PATH', "$reactRoot/.env.sentry-build-plugin")
