Current behavior (from README):

If your composer.json file contains the extension key at [extra][typo3/cms][extension-key] = 'my_key' (this is good practice anyway), the TYPO3_EXTENSION_KEY secret and assignment in the below GitHub action example is not needed, tailor will pick it up.
Problem:

This leaves ambiguous what happens when both are set. Which takes precedence?

Suggested behavior:

1. Use [extra][typo3/cms][extension-key] from composer.json as the primary source
2. Fall back to TYPO3_EXTENSION_KEY secret only for backwards compatibility, with a deprecation warning
3. Document this precedence clearly

Benefits:

• Single source of truth in version-controlled composer.json
• Solves CI log masking issue: secrets are redacted, causing unhelpful error messages like "Could not publish
  extension ***" (especially when copy and pasted into error reports for tailor or TER)

Example:

https://github.com/FriendsOfTYPO3/content-blocks/actions/runs/19767317783/job/56643169624#step:8:14

Run php ~/.composer/vendor/bin/tailor ter:publish --comment "[RELEASE] Release version 2.0.1" 2.0.1

Publishing version 2.0.1 of extension ***
====================================================

Warning: ] Could not publish version 2.0.1 of extension ***.         
           Reason: The user is not allowed to access this extension.            

Error: Process completed with exit code 1.