Gocd: Agent Git Credentials Push

When configuring a material backed by Git, such as GitHub.com or GHE, the user story for non-public repositories is unpleasant, GoCD is built for the world where nobody keeps a git repo private so there's no server-level push for personal access tokens _nor_ is there the ability to encrypt API credentials/tokens in material definitions.

Users end up having to either:

• Log onto each server with an agent and set global git configuration credentials.
• Bake the token into the URL that is used to access the material. This turns up in console logs and outputs, but is also used to identify the material for versioning checks. Big security risk.

Proposed changes:

• Ability to define via a secure variable (environment, pipeline, stage or job, task) a GIT_SSH_KEY or GIT_API_TOKEN that allows the credentials to be set for particular pipelines or steps.
• Exclusion of API tokens/credentials in URL from material definitions when performing comparisons. This allows for key rotation. I'd recommend performing this stripping of keys at the material comparison step so that there's no retroactive update to the H2DB required.
• Stripping of API tokens/credentials in material URI's logged in the agent console.
• Separation out of the credentials from the URL input, such that if a URL has credentials in it, upon save/edit - the user sees three boxes (URL, Username, password - with password suppresed/'click to change' ).

Anyone got thoughts on this?