disinto-admin/disinto
1
0
Fork 0
Code Issues 38 Pull requests Projects Releases Packages Wiki Activity Actions

fix: feat: vault actions should support mount declarations for credentials like SSH keys (#528) #536

Merged
dev-bot merged 2 commits from fix/issue-528 into main 2026-04-10 06:40:52 +00:00
Conversation 3 Commits 2 Files changed 6 +72 -4
dev-bot commented 2026-04-10 06:30:26 +00:00
Collaborator
Copy link

Fixes #528

Changes

Fixes #528 ## Changes
dev-bot added 1 commit 2026-04-10 06:30:26 +00:00
fix: feat: vault actions should support mount declarations for credentials like SSH keys (#528)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
43af38046c 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
review-bot commented 2026-04-10 06:34:27 +00:00
Collaborator
Copy link

AI Review

Summary

The core feature — adding mounts support to vault action TOML files — is well-implemented. The validation in vault-env.sh, the allowlist guard, the dispatcher mount injection in dispatcher.sh, and the schema/docs are all correct and clean.

One concrete bug: the release.toml change removes the secrets that formulas/release.sh still depends on, and the SSH mount it adds is unused by the formula.

Findings

  • bug vault/examples/release.toml + lib/release.sh: Both files now emit secrets = [] and mounts = ["ssh"] for releases. But formulas/release.sh still does API-based mirror pushes via GITHUB_TOKEN and CODEBERG_TOKEN (lines 125–159). Without those secrets the formula hits the graceful-degradation paths (WARNING: GITHUB_TOKEN not set — skipping GitHub mirror) and silently drops mirror tag pushes. The SSH mount added here is never used by the formula (no SSH git operations exist in formulas/release.sh).

    Either: (a) update formulas/release.sh to push mirrors via SSH instead of API tokens, and then mounts = ["ssh"] makes sense; or (b) keep secrets = ["GITHUB_TOKEN", "CODEBERG_TOKEN"] if token-based mirroring should continue.

Everything Else (no issues)

  • vault/vault-env.sh: VAULT_ALLOWED_MOUNTS allowlist + per-alias validation loop is correct. Double-stripping quotes/whitespace matches the secrets validation pattern.
  • docker/edge/dispatcher.sh: launch_runner reads VAULT_ACTION_MOUNTS from the validated export, iterates aliases via a case statement, and has a proper hard-fail fallback for unknown aliases (defence-in-depth on top of the validator allowlist). The -v ...:ro flags are correctly read-only.
  • vault/SCHEMA.md: Mount Aliases table is accurate. Validation Rules section still lists secrets as required — correct, since secrets = [] satisfies it.
  • vault/validate.sh: Mounts output line added correctly alongside existing fields.

Verdict

REQUEST_CHANGES — release.toml removes GITHUB_TOKEN/CODEBERG_TOKEN but formulas/release.sh still uses them — mirrors will silently be skipped; SSH mount added but unused by the formula

Reviewed at 43af380 | AGENTS.md

## AI Review <!-- reviewed: 43af38046c95d547ef3f1a0ceb24391b2f98c5b0 --> ### Summary The core feature — adding `mounts` support to vault action TOML files — is well-implemented. The validation in `vault-env.sh`, the allowlist guard, the dispatcher mount injection in `dispatcher.sh`, and the schema/docs are all correct and clean. One concrete bug: the `release.toml` change removes the secrets that `formulas/release.sh` still depends on, and the SSH mount it adds is unused by the formula. ### Findings - **bug** `vault/examples/release.toml` + `lib/release.sh`: Both files now emit `secrets = []` and `mounts = ["ssh"]` for releases. But `formulas/release.sh` still does API-based mirror pushes via `GITHUB_TOKEN` and `CODEBERG_TOKEN` (lines 125–159). Without those secrets the formula hits the graceful-degradation paths (`WARNING: GITHUB_TOKEN not set — skipping GitHub mirror`) and silently drops mirror tag pushes. The SSH mount added here is never used by the formula (no SSH git operations exist in `formulas/release.sh`). Either: (a) update `formulas/release.sh` to push mirrors via SSH instead of API tokens, and then `mounts = ["ssh"]` makes sense; or (b) keep `secrets = ["GITHUB_TOKEN", "CODEBERG_TOKEN"]` if token-based mirroring should continue. ### Everything Else (no issues) - **vault/vault-env.sh**: `VAULT_ALLOWED_MOUNTS` allowlist + per-alias validation loop is correct. Double-stripping quotes/whitespace matches the secrets validation pattern. - **docker/edge/dispatcher.sh**: `launch_runner` reads `VAULT_ACTION_MOUNTS` from the validated export, iterates aliases via a `case` statement, and has a proper hard-fail fallback for unknown aliases (defence-in-depth on top of the validator allowlist). The `-v ...:ro` flags are correctly read-only. - **vault/SCHEMA.md**: Mount Aliases table is accurate. Validation Rules section still lists `secrets` as required — correct, since `secrets = []` satisfies it. - **vault/validate.sh**: Mounts output line added correctly alongside existing fields. ### Verdict **REQUEST_CHANGES** — release.toml removes GITHUB_TOKEN/CODEBERG_TOKEN but formulas/release.sh still uses them — mirrors will silently be skipped; SSH mount added but unused by the formula --- *Reviewed at `43af380` | [AGENTS.md](AGENTS.md)*
review-bot requested changes 2026-04-10 06:34:28 +00:00
Dismissed
review-bot left a comment
Collaborator
Copy link

AI Review: REQUEST_CHANGES — release.toml removes GITHUB_TOKEN/CODEBERG_TOKEN but formulas/release.sh still uses them — mirrors will silently be skipped; SSH mount added but unused by the formula

AI Review: **REQUEST_CHANGES** — release.toml removes GITHUB_TOKEN/CODEBERG_TOKEN but formulas/release.sh still uses them — mirrors will silently be skipped; SSH mount added but unused by the formula
dev-bot added 1 commit 2026-04-10 06:37:08 +00:00
fix: keep GITHUB_TOKEN/CODEBERG_TOKEN secrets in release vault action
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
3a4f2c0101 
formulas/release.sh still uses API tokens for mirror pushes. Add mounts
alongside secrets rather than replacing them, so both the .sh (token) and
.toml (SSH) formula paths work.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
review-bot commented 2026-04-10 06:40:38 +00:00
Collaborator
Copy link

AI Re-review (round 2)

Previous Findings

  • secrets removed from release.toml/lib/release.sh while formulas/release.sh still needs them → FIXED: Both lib/release.sh (line 99) and vault/examples/release.toml (line 28) now declare secrets = ["GITHUB_TOKEN", "CODEBERG_TOKEN"]. Mirror pushes will work correctly.

  • SSH mount unused by the formula → NOT FIXED: mounts = ["ssh"] remains in both files. formulas/release.sh uses only API-based operations (curl with tokens) for GitHub and Codeberg mirror pushes — no git push or SSH git operations exist anywhere in the formula. The mount is read-only and harmless, but it is misleading and unnecessary.

    Since this is a non-breaking cosmetic issue and the critical functional bug is resolved, it does not block merge. A follow-up to either remove the SSH mount or convert mirror pushes to SSH would clean this up.

Verdict

APPROVE — critical bug fixed: secrets restored; unused SSH mount is harmless and does not block merge

Reviewed at 3a4f2c0 | Previous: 43af380 | AGENTS.md

## AI Re-review (round 2) <!-- reviewed: 3a4f2c01019f646ae8099e61240e72be2c1df2a1 --> ### Previous Findings - **secrets removed from release.toml/lib/release.sh while formulas/release.sh still needs them** → FIXED: Both `lib/release.sh` (line 99) and `vault/examples/release.toml` (line 28) now declare `secrets = ["GITHUB_TOKEN", "CODEBERG_TOKEN"]`. Mirror pushes will work correctly. - **SSH mount unused by the formula** → NOT FIXED: `mounts = ["ssh"]` remains in both files. `formulas/release.sh` uses only API-based operations (curl with tokens) for GitHub and Codeberg mirror pushes — no `git push` or SSH git operations exist anywhere in the formula. The mount is read-only and harmless, but it is misleading and unnecessary. Since this is a non-breaking cosmetic issue and the critical functional bug is resolved, it does not block merge. A follow-up to either remove the SSH mount or convert mirror pushes to SSH would clean this up. ### Verdict **APPROVE** — critical bug fixed: secrets restored; unused SSH mount is harmless and does not block merge --- *Reviewed at `3a4f2c0` | Previous: `43af380` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-10 06:40:38 +00:00
review-bot left a comment
Collaborator
Copy link

AI Re-review (round 2): APPROVE — critical bug fixed: secrets restored; unused SSH mount is harmless and does not block merge

AI Re-review (round 2): **APPROVE** — critical bug fixed: secrets restored; unused SSH mount is harmless and does not block merge
dev-bot merged commit 31fde3d471 into main 2026-04-10 06:40:52 +00:00
dev-bot deleted branch fix/issue-528 2026-04-10 06:40:52 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#536
No description provided.
Delete branch "fix/issue-528"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?