fix: Clean up decrypted secrets on failure, verify Claude CLI install (#618)
Add EXIT trap in disinto_up() so the plaintext .env is removed even if docker compose up fails. Previously set -euo pipefail would abort before the cleanup block, leaving secrets on disk. Replace the silent || true in the Dockerfile with an explicit claude --version check so the build fails visibly if the CLI cannot be installed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
openhands
parent
0aa3890fb8
commit
4f99a7a26a
2 changed files with 5 additions and 3 deletions
|
|
@ -1226,13 +1226,14 @@ disinto_up() {
|
|||
if [ -f "$enc_file" ] && command -v sops &>/dev/null && [ ! -f "$env_file" ]; then
|
||||
tmp_env="${env_file}"
|
||||
sops -d --output-type dotenv "$enc_file" > "$tmp_env"
|
||||
trap '[ -n "${tmp_env:-}" ] && rm -f "$tmp_env"' EXIT
|
||||
echo "Decrypted secrets for compose"
|
||||
fi
|
||||
|
||||
docker compose -f "$compose_file" up -d "$@"
|
||||
echo "Stack is up"
|
||||
|
||||
# Clean up temp .env
|
||||
# Clean up temp .env (also handled by EXIT trap if compose fails)
|
||||
if [ -n "$tmp_env" ] && [ -f "$tmp_env" ]; then
|
||||
rm -f "$tmp_env"
|
||||
echo "Removed temporary .env"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue