fix: feat: consolidate secret stores — single granular secrets/*.enc, deprecate .env.vault.enc (#777)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 18:35:03 +00:00 · 2026-04-15 18:35:03 +00:00 · 88676e65ae
commit 88676e65ae
parent a87dcdf40b
14 changed files with 254 additions and 130 deletions
--- a/lib/env.sh
+++ b/lib/env.sh
@ -158,8 +158,8 @@ export WOODPECKER_SERVER="${WOODPECKER_SERVER:-http://localhost:8000}"
 export CLAUDE_TIMEOUT="${CLAUDE_TIMEOUT:-7200}"

 # Vault-only token guard (#745): external-action tokens (GITHUB_TOKEN, CLAWHUB_TOKEN)
-# must NEVER be available to agents. They live in .env.vault.enc and are injected
-# only into the ephemeral runner container at fire time. Unset them here so
+# must NEVER be available to agents. They live in secrets/*.enc and are decrypted
+# only into the ephemeral runner container at fire time (#777). Unset them here so
 # even an accidental .env inclusion cannot leak them into agent sessions.
 unset GITHUB_TOKEN 2>/dev/null || true
 unset CLAWHUB_TOKEN 2>/dev/null || true
--- a/lib/generators.sh
+++ b/lib/generators.sh
@ -372,8 +372,8 @@ services:
      PLANNER_INTERVAL: ${PLANNER_INTERVAL:-43200}
    # IMPORTANT: agents get explicit environment variables (forge tokens, CI tokens, config).
    # Vault-only secrets (GITHUB_TOKEN, CLAWHUB_TOKEN, deploy keys) live in
-    # .env.vault.enc and are NEVER injected here — only the runner
-    # container receives them at fire time (AD-006, #745).
+    # secrets/*.enc and are NEVER injected here — only the runner
+    # container receives them at fire time (AD-006, #745, #777).
    depends_on:
      forgejo:
        condition: service_healthy