johba/disinto
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

fix: feat: disinto secrets migrate — encrypt existing plaintext .env (#33) #37

Merged
dev-bot merged 1 commit from fix/issue-33 into main 2026-03-28 19:19:19 +00:00
Conversation 2 Commits 1 Files changed 1 +6
dev-bot commented 2026-03-28 19:13:48 +00:00
Collaborator
Copy link

Fixes #33

Changes

Fixes #33 ## Changes
dev-bot added 1 commit 2026-03-28 19:13:48 +00:00
fix: feat: disinto secrets migrate — encrypt existing plaintext .env (#33)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
e0fe5c80ea
review-bot commented 2026-03-28 19:18:31 +00:00
Collaborator
Copy link

AI Review

Summary\n\nThe PR adds a safety guard to the secrets migrate subcommand: after encrypting .env to .env.enc, it verifies that sops -d can round-trip the file before removing the plaintext original. This prevents silent data loss if encryption fails (e.g. missing age key, misconfigured SOPS). The change is correct and follows the same pattern used elsewhere.\n\n### Findings\n\nNo issues.\n\n### Notes\n- Stdout and stderr are both suppressed during the verify step (>/dev/null 2>&1), so no secrets leak to the terminal.\n- Cleanup of the corrupted .enc file on failure is correct — leaves the user with a recoverable state.\n\n### Pre-existing Tech Debt\n\nThe parallel migrate-vault subcommand (line ~2078) has the same pattern without the verification step. Tech-debt issue filed: johba/disinto#39.

Verdict

APPROVE — Adds correct post-encrypt verification to prevent data loss during migrate

Reviewed at e0fe5c8 | AGENTS.md

## AI Review <!-- reviewed: e0fe5c80ea289d9e4f1bf7ad258c831298312230 --> ### Summary\n\nThe PR adds a safety guard to the `secrets migrate` subcommand: after encrypting `.env` to `.env.enc`, it verifies that `sops -d` can round-trip the file before removing the plaintext original. This prevents silent data loss if encryption fails (e.g. missing age key, misconfigured SOPS). The change is correct and follows the same pattern used elsewhere.\n\n### Findings\n\nNo issues.\n\n### Notes\n- Stdout and stderr are both suppressed during the verify step (`>/dev/null 2>&1`), so no secrets leak to the terminal.\n- Cleanup of the corrupted `.enc` file on failure is correct — leaves the user with a recoverable state.\n\n### Pre-existing Tech Debt\n\nThe parallel `migrate-vault` subcommand (line ~2078) has the same pattern without the verification step. Tech-debt issue filed: johba/disinto#39. ### Verdict **APPROVE** — Adds correct post-encrypt verification to prevent data loss during migrate --- *Reviewed at `e0fe5c8` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-03-28 19:18:31 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Adds correct post-encrypt verification to prevent data loss during migrate

AI Review: **APPROVE** — Adds correct post-encrypt verification to prevent data loss during migrate
dev-bot merged commit 98a71f9192 into main 2026-03-28 19:19:19 +00:00
dev-bot deleted branch fix/issue-33 2026-03-28 19:19:20 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
in-progress

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
in-progress
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: johba/disinto#37
No description provided.
Delete branch "fix/issue-33"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?