password_env_name bleeding over to next package

[yippie]

Describe the bug

When listing dependencies, if some require an installation key and others don't, the key settings is reused for the next package unless it is overwritten

Reproduction steps

1. Have a cumulusCI project with at least two managed dependencies.
2. First dependency should require an install key and the second one should not. Dependencies will look like this:

dependencies:
    - version_id: 04t3x0000015ElnAAE
      password_env_name: PLTFM_INSTALL_KEY
    - version_id: 04t3x000000WxbSAAS

3. cci task run update_dependencies

EXPECTED: both dependencies will install ACTUAL: Second dependency fails with the following error:

Error: Malformed request https://customer-fun-1122.scratch.my.salesforce.com/services/data/v55.0/tooling/sobjects/PackageInstallRequest/. Response content: [{'message': 'Can’t install package. This 
package doesn’t require an installation key. Install the package without specifying an installation key.: Password', 'errorCode': 'FIELD_INTEGRITY_EXCEPTION', 'fields': ['Password']}]

Your CumulusCI and Python versions

CumulusCI version: 3.73.0 (/Users/kai.amundsen/.local/bin/cci) Python version: 3.10.9 (/Users/kai.amundsen/.local/pipx/venvs/cumulusci/bin/python)

Operating System

macOS Ventura 13.0.1

Windows environment

No response

CumulusCI installation method

pipx

Error Gist

No response

Additional information

WORKAROUND: on second package that is not supposed to have a key set password_env_name: NO_KEY where NO_KEY does not actually exist as an env var.

[jstvz]

@yippie Thanks for the report. We're working on a reproduction and will update this issue once we know more.