feat: add custom headers to taskrc and cli flags

[ldgriswold]

Issue Link: #1317

This PR adds support for custom HTTP headers when fetching remote Taskfiles, enabling authentication with services like GitHub,
GitLab, and other platforms without exposing credentials in URLs.

Features

Configuration via .taskrc.yml:

remote:
  headers:
    raw.githubusercontent.com:
      Authorization: "Bearer {{.GITHUB_TOKEN}}"
    gitlab.com:
      PRIVATE-TOKEN: "{{.GITLAB_TOKEN}}"

CLI Flag Support:

task --header "raw.githubusercontent.com:Authorization=Bearer token" mytask

Key Capabilities:

• Custom header names (e.g., GitLab's PRIVATE-TOKEN)
• Environment variable expansion using {{.VAR}} syntax
• Host-specific header matching (exact hostname including port)
• CLI flags override config file settings
• Config file merging (local > home > XDG)

Security

Built-in Protections:

• Forbidden headers blocked: Host, Content-Length, Transfer-Encoding, Trailer, Connection, Upgrade, Location, Set-Cookie
• Control character validation prevents HTTP header injection
• Headers only sent to exact hostname matches
• Warning messages logged when headers are skipped

Implementation Details

• Headers threaded through both root node and Reader (follows TLS cert pattern)
• Environment variable expansion uses env.GetEnviron() for full env access
• Merge semantics handle nested maps from multiple config sources

Testing

• 183 lines of config parsing tests in taskrc/taskrc_test.go
• 238 lines of integration tests in task_test.go covering:
  • Config file parsing
  • Environment variable expansion
  • CLI flag usage
  • Host-specific matching
  • Forbidden header blocking
  • Control character validation

All tests passing.

Documentation

Updated website/src/docs/experiments/remote-taskfiles.md with:

• Configuration examples
• CLI flag usage
• Security best practices
• Multiple authentication scenarios"