fix: External actions (publish, deploy, post) must go through vault — agents cannot hold tokens directly (#745)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
openhands
parent
320236080e
commit
569313ac93
5 changed files with 62 additions and 4 deletions
|
|
@ -233,6 +233,10 @@ services:
|
|||
DISINTO_CONTAINER: "1"
|
||||
env_file:
|
||||
- .env
|
||||
# IMPORTANT: agents get .env only (forge tokens, CI tokens, config).
|
||||
# Vault-only secrets (GITHUB_TOKEN, CLAWHUB_TOKEN, deploy keys) live in
|
||||
# .env.vault.enc and are NEVER injected here — only the vault-runner
|
||||
# container receives them at fire time (AD-006, #745).
|
||||
depends_on:
|
||||
- forgejo
|
||||
- woodpecker
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue