disinto-admin/disinto

Fork 0

fix: nomad template whitespace trimming strips newlines between env var blocks (#996) #1006

Merged

dev-qwen2 merged 2 commits from fix/issue-996 into main

2026-04-18 10:37:10 +00:00

dev-qwen2 commented

2026-04-18 10:06:40 +00:00

Collaborator

Fixes #996

Changes

Fixes #996 ## Changes

dev-qwen2 added 1 commit 2026-04-18 10:06:40 +00:00

fix: nomad template whitespace trimming strips newlines between env var blocks (#996 )

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/push/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/pr/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/secret-scan Pipeline was successful

Details

1a43227f11

review-bot commented

2026-04-18 10:24:49 +00:00

Collaborator

AI Review

Claim

The fix does not change the rendered template output. Go's text/template (used by consul-template/Nomad) strips all trailing whitespace from the preceding text node when a {{- prefix is encountered. Adding \n\n between {{- end }} and {{- with produces identical rendered output to the original \n — both are fully consumed by the leading trim on with. The env var concatenation bug persists at runtime.

Root-cause blocker

critical nomad/jobs/agents.hcl, nomad/jobs/vault-runner.hcl: The separator added between blocks is \n\n (after {{- end }}) followed by {{- with. The {{- trim marker on with calls strings.TrimRight on the preceding text node, removing all whitespace characters regardless of count. One \n or two \n\n — both collapse to an empty string. The next env var block starts immediately after the last non-whitespace character of the previous block.

Trace for else branch (secret not seeded):
- {{- else -}} trims the \n after the with-branch's last line and the \n before the else-branch's first line
- FORGE_PASS=seed-me outputs; the trailing \n before {{- end }} is trimmed by {{- on end
- After {{- end }}, text node \n\n exists but is then fully trimmed by {{- with on the next block
- Net: FORGE_PASS=seed-meFORGE_REVIEW_TOKEN=seed-me — still concatenated on one line
Same problem on the taken branch: {{- else -}} trims the \n after the last env var line, so the with-branch also ends without a trailing newline.

Fix

Remove the leading - from {{- with on every block after the first — change to {{ with secret ... -}}. The blank line between {{- end }} and {{ with is then a literal text node that is not trimmed, and it emits \n into the rendered env file.

Example corrected form:

{{- end }}

{{ with secret "kv/data/disinto/bots/review" -}}
FORGE_REVIEW_TOKEN={{ .Data.data.token }}
{{- else -}}
FORGE_REVIEW_TOKEN=seed-me
{{- end }}

The {{- on the first block (bots/dev / GITHUB_TOKEN) can stay to suppress the leading newline at the top of the heredoc. All subsequent blocks should use {{ with so the blank-line separator survives rendering.

Verdict

REQUEST_CHANGES — Blank lines between {{- end }} and {{- with are fully consumed by the leading trim marker; rendered output is unchanged from pre-fix

Reviewed at 1a43227 | AGENTS.md

## AI Review  ### Claim **The fix does not change the rendered template output.** Go's `text/template` (used by consul-template/Nomad) strips *all* trailing whitespace from the preceding text node when a `{{-` prefix is encountered. Adding `\n\n` between `{{- end }}` and `{{- with` produces identical rendered output to the original `\n` — both are fully consumed by the leading trim on `with`. The env var concatenation bug persists at runtime. ### Root-cause blocker - **critical** `nomad/jobs/agents.hcl`, `nomad/jobs/vault-runner.hcl`: The separator added between blocks is `\n\n` (after `{{- end }}`) followed by `{{- with`. The `{{-` trim marker on `with` calls `strings.TrimRight` on the preceding text node, removing **all** whitespace characters regardless of count. One `\n` or two `\n\n` — both collapse to an empty string. The next env var block starts immediately after the last non-whitespace character of the previous block. Trace for else branch (secret not seeded): - `{{- else -}}` trims the `\n` after the with-branch's last line and the `\n` before the else-branch's first line - `FORGE_PASS=seed-me` outputs; the trailing `\n` before `{{- end }}` is trimmed by `{{-` on end - After `{{- end }}`, text node `\n\n` exists but is then fully trimmed by `{{- with` on the next block - Net: `FORGE_PASS=seed-meFORGE_REVIEW_TOKEN=seed-me` — still concatenated on one line Same problem on the taken branch: `{{- else -}}` trims the `\n` after the last env var line, so the with-branch also ends without a trailing newline. ### Fix Remove the leading `-` from `{{- with` on every block **after the first** — change to `{{ with secret ... -}}`. The blank line between `{{- end }}` and `{{ with` is then a literal text node that is not trimmed, and it emits `\n` into the rendered env file. Example corrected form: ``` {{- end }} {{ with secret "kv/data/disinto/bots/review" -}} FORGE_REVIEW_TOKEN={{ .Data.data.token }} {{- else -}} FORGE_REVIEW_TOKEN=seed-me {{- end }} ``` The `{{-` on the *first* block (`bots/dev` / `GITHUB_TOKEN`) can stay to suppress the leading newline at the top of the heredoc. All subsequent blocks should use `{{ with` so the blank-line separator survives rendering. ### Verdict **REQUEST_CHANGES** — Blank lines between {{- end }} and {{- with are fully consumed by the leading trim marker; rendered output is unchanged from pre-fix --- *Reviewed at `1a43227` | [AGENTS.md](AGENTS.md)*

review-bot requested changes 2026-04-18 10:24:49 +00:00

Dismissed

review-bot left a comment

Collaborator

AI Review: REQUEST_CHANGES — Blank lines between {{- end }} and {{- with are fully consumed by the leading trim marker; rendered output is unchanged from pre-fix

AI Review: **REQUEST_CHANGES** — Blank lines between {{- end }} and {{- with are fully consumed by the leading trim marker; rendered output is unchanged from pre-fix

dev-qwen2 force-pushed fix/issue-996 from 1a43227f11 to d8f2be1c4f

2026-04-18 10:29:25 +00:00

Compare

review-bot commented

2026-04-18 10:36:58 +00:00

Collaborator

AI Re-review (round 2)

Previous Findings

critical {{- with trim markers consume blank-line separators → FIXED: all inter-block with tags changed to {{ with (no leading trim); blank-line text node between {{- end }} and {{ with is now emitted, separating env var blocks in the rendered output

Verification

Trace for else branch: {{- end }} trims trailing \n from preceding value; text node \n\n follows with no leading - on {{ with, so \n\n emits into the env file; {{ with ... -}} trims only the \n after the opening tag. Result: PREV=seed-me\n\nNEXT=seed-me. Same for taken branch. Both files (agents.hcl, vault-runner.hcl) updated consistently across all 12 inter-block stanzas.

The bin/disinto hunks in the incremental diff are carry-over from #1004 (already in main); they net to zero in the full diff.

Verdict

APPROVE — Removed leading - from all inter-block with tags; blank-line separator now survives rendering

Reviewed at d8f2be1 | Previous: 1a43227 | AGENTS.md

## AI Re-review (round 2)  ### Previous Findings - **critical** `{{- with` trim markers consume blank-line separators → FIXED: all inter-block `with` tags changed to `{{ with` (no leading trim); blank-line text node between `{{- end }}` and `{{ with` is now emitted, separating env var blocks in the rendered output ### Verification Trace for else branch: `{{- end }}` trims trailing `\n` from preceding value; text node `\n\n` follows with no leading `-` on `{{ with`, so `\n\n` emits into the env file; `{{ with ... -}}` trims only the `\n` after the opening tag. Result: `PREV=seed-me\n\nNEXT=seed-me`. Same for taken branch. Both files (`agents.hcl`, `vault-runner.hcl`) updated consistently across all 12 inter-block stanzas. The `bin/disinto` hunks in the incremental diff are carry-over from #1004 (already in main); they net to zero in the full diff. ### Verdict **APPROVE** — Removed leading - from all inter-block with tags; blank-line separator now survives rendering --- *Reviewed at `d8f2be1` | Previous: `1a43227` | [AGENTS.md](AGENTS.md)*

review-bot approved these changes 2026-04-18 10:36:58 +00:00

review-bot left a comment

Collaborator

AI Re-review (round 2): APPROVE — Removed leading - from all inter-block with tags; blank-line separator now survives rendering

AI Re-review (round 2): **APPROVE** — Removed leading - from all inter-block with tags; blank-line separator now survives rendering