From 54e90cebb2210b1381ef8c6e535a05e715e0e9e8 Mon Sep 17 00:00:00 2001
From: Tom Hunze <dev@thunze.de>
Date: Wed, 17 Dec 2025 17:35:19 +0100
Subject: [PATCH] Create GitLab CI/CD variables with visibility masked and
 hidden on init

"Masked and hidden" means: The variable value is masked in job logs and
can never be revealed in the CI/CD settings after the variable has been
saved.

This is consistent with the workflow for creating and updating new
access tokens on both GitLab and Zenodo, where a token can never be
revealed after it has been saved.

GitLab API docs: https://docs.gitlab.com/api/project_level_variables/#create-a-variable
---
 src/hermes/commands/init/base.py                | 4 ++--
 src/hermes/commands/init/util/connect_gitlab.py | 9 ++++++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/hermes/commands/init/base.py b/src/hermes/commands/init/base.py
index 5937eded..30652e2f 100644
--- a/src/hermes/commands/init/base.py
+++ b/src/hermes/commands/init/base.py
@@ -599,13 +599,13 @@ def configure_gitlab(self) -> None:
                     self.git_remote_url + "/-/settings/ci_cd", "project's ci settings")
             ))
             sc.echo("Then, add that token as variable with key HERMES_PUSH_TOKEN.")
-            sc.echo("(For your safety, you should set the visibility to 'Masked'.)")
+            sc.echo("(For your safety, you should set the visibility to 'Masked and hidden'.)")
             sc.press_enter_to_continue()
             sc.echo("Next, add the {} token{} as variable with key ZENODO_TOKEN.".format(
                 self.deposit_platform.name,
                 f" ({self.tokens[self.deposit_platform]})" if self.tokens[self.deposit_platform] else ""
             ))
-            sc.echo("(For your safety, you should set the visibility to 'Masked'.)")
+            sc.echo("(For your safety, you should set the visibility to 'Masked and hidden'.)")
             sc.press_enter_to_continue()
 
     def choose_deposit_platform(self) -> None:
diff --git a/src/hermes/commands/init/util/connect_gitlab.py b/src/hermes/commands/init/util/connect_gitlab.py
index 32b115a8..6aeb8012 100644
--- a/src/hermes/commands/init/util/connect_gitlab.py
+++ b/src/hermes/commands/init/util/connect_gitlab.py
@@ -120,7 +120,14 @@ def create_variable(self, key: str, value, description: str = "") -> bool:
         sc.debug_info(delete_status=delete_response.status_code, delete_response=delete_response.text)
         # Then create a new variable
         create_url = urljoin(self.api_url, f"projects/{self.project_id}/variables")
-        data = {"key": key, "value": value, "masked": True, "raw": True, "description": description}
+        data = {
+            "key": key,
+            "value": value,
+            "masked": True,
+            "masked_and_hidden": True,
+            "raw": True,
+            "description": description,
+        }
         response = requests.post(create_url, headers=headers, json=data)
         if response.status_code == 201:
             desc = f" ({description})" if description else ""