fix: Clean up decrypted secrets on failure, verify Claude CLI install (#618)
Add EXIT trap in disinto_up() so the plaintext .env is removed even if docker compose up fails. Previously set -euo pipefail would abort before the cleanup block, leaving secrets on disk. Replace the silent || true in the Dockerfile with an explicit claude --version check so the build fails visibly if the CLI cannot be installed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
openhands
parent
0aa3890fb8
commit
4f99a7a26a
2 changed files with 5 additions and 3 deletions
|
|
@ -1226,13 +1226,14 @@ disinto_up() {
|
|||
if [ -f "$enc_file" ] && command -v sops &>/dev/null && [ ! -f "$env_file" ]; then
|
||||
tmp_env="${env_file}"
|
||||
sops -d --output-type dotenv "$enc_file" > "$tmp_env"
|
||||
trap '[ -n "${tmp_env:-}" ] && rm -f "$tmp_env"' EXIT
|
||||
echo "Decrypted secrets for compose"
|
||||
fi
|
||||
|
||||
docker compose -f "$compose_file" up -d "$@"
|
||||
echo "Stack is up"
|
||||
|
||||
# Clean up temp .env
|
||||
# Clean up temp .env (also handled by EXIT trap if compose fails)
|
||||
if [ -n "$tmp_env" ] && [ -f "$tmp_env" ]; then
|
||||
rm -f "$tmp_env"
|
||||
echo "Removed temporary .env"
|
||||
|
|
|
|||
|
|
@ -4,9 +4,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
|||
bash curl git jq tmux cron python3 openssh-client ca-certificates \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Claude CLI
|
||||
# Claude CLI — install and verify
|
||||
RUN curl -fsSL https://cli.anthropic.com/install.sh | sh \
|
||||
&& mv /root/.claude/local/claude /usr/local/bin/claude || true
|
||||
&& cp "$(find /root -name claude -type f 2>/dev/null | head -1)" /usr/local/bin/claude \
|
||||
&& claude --version
|
||||
|
||||
# Non-root user
|
||||
RUN useradd -m -u 1000 -s /bin/bash agent
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue