disinto/.gitignore at 0762ab73ffbe0e0ad0335c491632494bf3aade0b - johba/disinto - Forgejo: Beyond coding. We forge.

johba/disinto

openhands cb5252588c fix: Secure action runtime — ephemeral container with vault-injected secrets (#748 )

Split secrets into two SOPS-encrypted files:
- .env.enc for agent secrets (FORGE_TOKEN, CLAUDE_API_KEY, etc.)
- .env.vault.enc for vault secrets (GITHUB_TOKEN, deploy keys, etc.)

Add ephemeral vault-runner container (profiles: ["vault"]) that receives
only vault secrets at runtime. Agents never see vault secrets; vault-runner
never sees agent secrets.

Key changes:
- bin/disinto: vault-run subcommand, dual-file secrets management,
  vault-runner service in compose template
- vault/vault-fire.sh: delegates action execution to vault-runner
  container via disinto vault-run (bare-metal fallback preserved)
- vault/vault-poll.sh: new phase 5 detects vault-bot authorized
  comments on issues with action label
- vault/vault-run-action.sh: entrypoint for ephemeral container,
  dispatches to action handlers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-26 16:41:27 +00:00

24 lines

368 B

Text

Raw Blame History

 # Plaintext secrets (never commit)
 .env
 # Encrypted secrets — safe to commit (SOPS-encrypted with age)
 !.env.enc
 !.env.vault.enc
 !.sops.yaml
 # Per-box project config (generated by disinto init)
 projects/*.toml
 # Runtime state
 *.log
 *.log.*
 *.log.old
 state.json
 *.lock
 *.pid
 metrics/supervisor-metrics.jsonl
 # OS
 .DS_Store
 dev/ci-fixes-*.json
 gardener/dust.jsonl