feat: vault actions should support mount declarations for credentials like SSH keys #528

New issue

Closed

opened 2026-04-09 20:46:55 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-09 20:46:55 +00:00

Collaborator

Description

The vault action TOML supports secrets = ["GITHUB_TOKEN"] for env-var secrets injected via -e. But some credentials are files (SSH keys, GPG keys, kubeconfig) that need to be mounted as volumes.

The release formula needs SSH keys to push tags to Codeberg/GitHub mirrors. Currently the mirrors use git@ remotes with SSH auth. There's no way to declare this in the vault action, so the runner can't push to mirrors.

Proposal

Add a mounts field to the vault action TOML:

id = "release-v020"
formula = "release"
context = "Release v0.2.0"
secrets = []
mounts = ["ssh"]

The dispatcher maps well-known mount aliases to volume flags:

Alias	Maps to
`ssh`	`-v ${HOME}/.ssh:/home/agent/.ssh:ro`
`gpg`	`-v ${HOME}/.gnupg:/home/agent/.gnupg:ro`
`sops`	`-v ${HOME}/.config/sops/age:/home/agent/.config/sops/age:ro`

This keeps the vault approval gate intact — the human reviewing the PR sees exactly which file-based credentials the runner gets. The dispatcher builds the -v flags the same way it builds -e flags for env secrets.

lib/release.sh should then generate vault actions with mounts = ["ssh"] instead of secrets = ["GITHUB_TOKEN", "CODEBERG_TOKEN"].

Files involved

docker/edge/dispatcher.sh — add mount handling in launch_runner()
lib/release.sh — change secrets to mounts
vault/SCHEMA.md — document the mounts field
vault/vault-env.sh — validate mounts field

## Description The vault action TOML supports `secrets = ["GITHUB_TOKEN"]` for env-var secrets injected via `-e`. But some credentials are files (SSH keys, GPG keys, kubeconfig) that need to be mounted as volumes. The release formula needs SSH keys to push tags to Codeberg/GitHub mirrors. Currently the mirrors use `git@` remotes with SSH auth. There's no way to declare this in the vault action, so the runner can't push to mirrors. ## Proposal Add a `mounts` field to the vault action TOML: ```toml id = "release-v020" formula = "release" context = "Release v0.2.0" secrets = [] mounts = ["ssh"] ``` The dispatcher maps well-known mount aliases to volume flags: | Alias | Maps to | |-------|---------| | `ssh` | `-v ${HOME}/.ssh:/home/agent/.ssh:ro` | | `gpg` | `-v ${HOME}/.gnupg:/home/agent/.gnupg:ro` | | `sops` | `-v ${HOME}/.config/sops/age:/home/agent/.config/sops/age:ro` | This keeps the vault approval gate intact — the human reviewing the PR sees exactly which file-based credentials the runner gets. The dispatcher builds the `-v` flags the same way it builds `-e` flags for env secrets. `lib/release.sh` should then generate vault actions with `mounts = ["ssh"]` instead of `secrets = ["GITHUB_TOKEN", "CODEBERG_TOKEN"]`. ## Files involved - `docker/edge/dispatcher.sh` — add mount handling in `launch_runner()` - `lib/release.sh` — change secrets to mounts - `vault/SCHEMA.md` — document the mounts field - `vault/vault-env.sh` — validate mounts field