Be explicit about setting :masked

Only some values can be masked. Currently API defaults :masked to false
and browser defaults :masked to true - resolve this ambiguity by
requiring QA to be explicit about which value it requires for :masked.

qa/qa/resource/ci_variable.rb

@@ -3,7 +3,7 @@
 module QA
   module Resource
     class CiVariable < Base
-      attr_accessor :key, :value
+      attr_accessor :key, :value, :masked
 
       attribute :project do
         Project.fabricate! do |resource|
@@ -49,7 +49,8 @@ module QA
       def api_post_body
         {
           key: key,
-          value: value
+          value: value,
+          masked: masked
         }
       end
     end

qa/qa/specs/features/browser_ui/4_verify/ci_variable/add_ci_variable_spec.rb

@@ -16,6 +16,7 @@ module QA
           resource.project = project
           resource.key = 'VARIABLE_KEY'
           resource.value = 'some_CI_variable'
+          resource.masked = false
         end
 
         project.visit!

qa/qa/specs/features/browser_ui/6_release/deploy_key/clone_using_deploy_key_spec.rb

@@ -60,6 +60,7 @@ module QA
             resource.project = @project
             resource.key = deploy_key_name
             resource.value = key.private_key
+            resource.masked = false
           end
 
           gitlab_ci = <<~YAML

qa/qa/specs/features/browser_ui/7_configure/auto_devops/create_project_with_auto_devops_spec.rb

@@ -34,6 +34,7 @@ module QA
             resource.project = @project
             resource.key = 'CODE_QUALITY_DISABLED'
             resource.value = '1'
+            resource.masked = false
           end
 
           # Set an application secret CI variable (prefixed with K8S_SECRET_)
@@ -41,6 +42,7 @@ module QA
             resource.project = @project
             resource.key = 'K8S_SECRET_OPTIONAL_MESSAGE'
             resource.value = 'you_can_see_this_variable'
+            resource.masked = false
           end
 
           # Connect K8s cluster