Strange problem with secrets

[owlzq1]

I've encountered a strange problem with decrypted secrets in canned scripts for ansible deployment and have no idea whats happening.
In short, secret refs leak to the executed ansible command, even though the script file is decrypted and contains valid decrypted secrets.
Here are the scripts:
common.sh

...
check_ansible_version
kapitan compile -t c01 --fetch --force --reveal
cat $DIR/install_eswe.sh

install_eswe.sh

#!/bin/bash
set -e           # If a command fails, the whole script exit
set -u           # Treat unset variables as an error, and immediately exit.
set -o pipefail  # this will make your script exit if any command in a pipeline errors

DIR=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
source "${DIR}"/common.sh

pushd $ESWE_DIR &> /dev/null
ansible-playbook provision.yml -vvvv -i $ROOT_DIR/compiled/c01/ansible -b \
  '-e allowreboot=true ansible_user=?{gkms:passwords/lab-bm@ansible_creds.user:a7b9736c} ansible_password=?{gkms:passwords/lab-bm@ansible_creds.password:a7b9736c}'

Script log:

Compiled c01.k02.ams02 (1.14s)
(cat compiled/c01/scripts/install_eswe.sh)
#!/bin/bash
set -e           # If a command fails, the whole script exit
set -u           # Treat unset variables as an error, and immediately exit.
set -o pipefail  # this will make your script exit if any command in a pipeline errors
DIR=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
source "${DIR}"/common.sh
pushd $ESWE_DIR &> /dev/null
ansible-playbook provision.yml -vvvv -i $ROOT_DIR/compiled/c01/ansible -b \
 '-e allowreboot=true ansible_user=root ansible_password=pass'
 
  ...
PLAYBOOK: provision.yml ********************************************************
Positional arguments: provision.yml
...
extra_vars: (' allowreboot=true ansible_user=?{gkms:passwords/lab-bm@ansible_creds.user:a7b9736c} ansible_password=?{gkms:passwords/lab-bm@ansible_creds.password:a7b9736c}',)
...
"msg": "Invalid/incorrect username/password. Skipping remaining 3 retries to prevent account lockout

14:46:40 > cat ./compiled/c01/ansible/scripts/install_eswe.sh
#!/bin/bash

set -e           # If a command fails, the whole script exit
set -u           # Treat unset variables as an error, and immediately exit.
set -o pipefail  # this will make your script exit if any command in a pipeline errors

DIR=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
source "${DIR}"/common.sh

pushd $ESWE_DIR &> /dev/null
ansible-playbook provision.yml -vvvv -i $ROOT_DIR/compiled/c01/ansible -b \
 '-e allowreboot=true ansible_user=root ansible_password=pass'

14:46:47 > grep '?{gkms:passwords/lab-bm@ansible_creds.user:a7b9736c}' compiled/c01/* -R

14:46:53 > grep '?{gkms:passwords/lab-bm@ansible_creds.user:a7b9736c}' .ansible/* -R

When run locally it happens almost every second try. That is I run the script and it fails to connect because secrets look encrypted, even though cat of the script file shows that it's decrypted, and on the second run it will work as expected, and then it can fail again.
It reproduces on ci runner with the exception that it happens every time there, no successful runs so far.

[owlzq1]

I think i've got it. It's the way i run the bash scripts 🤦
Now that I've described it in one place i can see it^^
I'll mark this as the answer without explaining, since the small thought exercise is the only value of this...