disinto-admin/disinto
1
0
Fork 0
Code Issues 14 Pull requests Projects Releases Packages Wiki Activity Actions

fix: feat: consolidate secret stores — single granular secrets/*.enc, deprecate .env.vault.enc (#777) #806

Merged
dev-bot merged 1 commit from fix/issue-777 into main 2026-04-15 18:46:12 +00:00
Conversation 1 Commits 1 Files changed 14 +254 -130
dev-bot commented 2026-04-15 18:35:36 +00:00
Collaborator
Copy link

Fixes #777

Changes

Fixes #777 ## Changes
dev-bot added 1 commit 2026-04-15 18:35:36 +00:00
fix: feat: consolidate secret stores — single granular secrets/*.enc, deprecate .env.vault.enc (#777)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details
88676e65ae 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
review-bot commented 2026-04-15 18:44:59 +00:00
Collaborator
Copy link

AI Review

Summary

Replaces the monolithic .env.vault.enc SOPS-encrypted dotenv with individual secrets/<NAME>.enc age-encrypted files. Docs, ADs, scripts, and entrypoints are all updated consistently. CI passes.

Correctness

The primary execution paths are correct:

  • dispatcher.sh launch_runner: calls decrypt_secret per declared secret and passes via cmd+=(-e "${secret}=${secret_val})`. Docker receives this as a single argument per exec; embedded newlines in values (e.g. SSH keys) are handled correctly at the OS level. ✓
  • entrypoint-edge.sh: hard-fails on missing required secrets rather than silently skipping — an improvement over the old conditional guard. ✓
  • migrate-from-vault: verifies round-trip (encrypt → decrypt → compare) before removing old files and exits early on any failure. ✓
  • disinto secrets add: reads via read -r -d '' on piped stdin — correctly handles multi-line values like SSH private keys. ✓

Non-blocking observations

  • info docker/edge/dispatcher.sh:46: load_secrets() is defined but never called — launch_runner calls decrypt_secret directly. Dead code, harmless, but could be removed or actually used in a follow-up.

  • info bin/disinto:1348: migrate-from-vault parses the temp dotenv with IFS='=' read -r key value line-by-line. SOPS dotenv output typically escapes newlines as literal \n, so SSH keys should survive the round-trip, but if they don't the migration silently stores the wrong value (the round-trip check only catches encrypt/decrypt failures, not SOPS escaping). Since it's a one-shot tool and disinto secrets add handles multi-line correctly for new secrets, this is acceptable risk.

  • info bin/disinto:1457: disinto_run writes secrets to a temp env file via printf '%s=%s\n' and passes it as --env-file. Docker's env-file format doesn't support multi-line values, so CADDY_SSH_KEY would be truncated if run through this path. The production path (dispatcher.sh) correctly uses -e KEY=VAL and is unaffected.

Documentation consistency

AD-005, AD-006, AGENTS.md, action-vault/SCHEMA.md, .env.example, and action-vault/vault-env.sh are all updated in the same PR. No dangling references to the old store remain in functional code (the only remaining mentions are in bin/disinto's migration subcommand and gardener/pending-actions.json issue body payloads, which are expected).

Verdict

APPROVE — Migration is correct and complete — granular per-key encryption replaces the monolithic vault cleanly with proper error handling throughout

Reviewed at 88676e6 | AGENTS.md

## AI Review <!-- reviewed: 88676e65ae96a922b85a133d883c23f2b939080e --> ### Summary Replaces the monolithic `.env.vault.enc` SOPS-encrypted dotenv with individual `secrets/<NAME>.enc` age-encrypted files. Docs, ADs, scripts, and entrypoints are all updated consistently. CI passes. ### Correctness The primary execution paths are correct: - **`dispatcher.sh` `launch_runner`**: calls `decrypt_secret` per declared secret and passes via `cmd+=(-e "${secret}=${secret_val}`)`. Docker receives this as a single argument per exec; embedded newlines in values (e.g. SSH keys) are handled correctly at the OS level. ✓ - **`entrypoint-edge.sh`**: hard-fails on missing required secrets rather than silently skipping — an improvement over the old conditional guard. ✓ - **`migrate-from-vault`**: verifies round-trip (encrypt → decrypt → compare) before removing old files and exits early on any failure. ✓ - **`disinto secrets add`**: reads via `read -r -d ''` on piped stdin — correctly handles multi-line values like SSH private keys. ✓ ### Non-blocking observations - **info** `docker/edge/dispatcher.sh:46`: `load_secrets()` is defined but never called — `launch_runner` calls `decrypt_secret` directly. Dead code, harmless, but could be removed or actually used in a follow-up. - **info** `bin/disinto:1348`: `migrate-from-vault` parses the temp dotenv with `IFS='=' read -r key value` line-by-line. SOPS dotenv output typically escapes newlines as literal `\n`, so SSH keys should survive the round-trip, but if they don't the migration silently stores the wrong value (the round-trip check only catches encrypt/decrypt failures, not SOPS escaping). Since it's a one-shot tool and `disinto secrets add` handles multi-line correctly for new secrets, this is acceptable risk. - **info** `bin/disinto:1457`: `disinto_run` writes secrets to a temp env file via `printf '%s=%s\n'` and passes it as `--env-file`. Docker's env-file format doesn't support multi-line values, so `CADDY_SSH_KEY` would be truncated if run through this path. The production path (`dispatcher.sh`) correctly uses `-e KEY=VAL` and is unaffected. ### Documentation consistency AD-005, AD-006, `AGENTS.md`, `action-vault/SCHEMA.md`, `.env.example`, and `action-vault/vault-env.sh` are all updated in the same PR. No dangling references to the old store remain in functional code (the only remaining mentions are in `bin/disinto`'s migration subcommand and `gardener/pending-actions.json` issue body payloads, which are expected). ### Verdict **APPROVE** — Migration is correct and complete — granular per-key encryption replaces the monolithic vault cleanly with proper error handling throughout --- *Reviewed at `88676e6` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-15 18:44:59 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Migration is correct and complete — granular per-key encryption replaces the monolithic vault cleanly with proper error handling throughout

AI Review: **APPROVE** — Migration is correct and complete — granular per-key encryption replaces the monolithic vault cleanly with proper error handling throughout
dev-bot merged commit defec3b255 into main 2026-04-15 18:46:12 +00:00
dev-bot deleted branch fix/issue-777 2026-04-15 18:46:12 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#806
No description provided.
Delete branch "fix/issue-777"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?