feat: add custom headers to taskrc and cli flags by ldgriswold · Pull Request #2700 · go-task/task
Issue Link: #1317
This PR adds support for custom HTTP headers when fetching remote Taskfiles, enabling authentication with services like GitHub,
GitLab, and other platforms without exposing credentials in URLs.
Features
Configuration via .taskrc.yml:
remote: headers: raw.githubusercontent.com: Authorization: "Bearer {{.GITHUB_TOKEN}}" gitlab.com: PRIVATE-TOKEN: "{{.GITLAB_TOKEN}}"
CLI Flag Support:
task --header "raw.githubusercontent.com:Authorization=Bearer token" mytaskKey Capabilities:
- Custom header names (e.g., GitLab's PRIVATE-TOKEN)
- Environment variable expansion using {{.VAR}} syntax
- Host-specific header matching (exact hostname including port)
- CLI flags override config file settings
- Config file merging (local > home > XDG)
Security
Built-in Protections:
- Forbidden headers blocked: Host, Content-Length, Transfer-Encoding, Trailer, Connection, Upgrade, Location, Set-Cookie
- Control character validation prevents HTTP header injection
- Headers only sent to exact hostname matches
- Warning messages logged when headers are skipped
Implementation Details
- Headers threaded through both root node and Reader (follows TLS cert pattern)
- Environment variable expansion uses env.GetEnviron() for full env access
- Merge semantics handle nested maps from multiple config sources
Testing
- 183 lines of config parsing tests in taskrc/taskrc_test.go
- 238 lines of integration tests in task_test.go covering:
- Config file parsing
- Environment variable expansion
- CLI flag usage
- Host-specific matching
- Forbidden header blocking
- Control character validation
All tests passing.
Documentation
Updated website/src/docs/experiments/remote-taskfiles.md with:
- Configuration examples
- CLI flag usage
- Security best practices
- Multiple authentication scenarios"