fix(wfctl): R-A4 align rule consults top-level secrets.generate + entries (workflow#541)#550
Merged
Merged
Conversation
…ries (workflow#541) buildAlignContext now populates ctx.secretKeys from cfg.Secrets.Generate[i].Key and cfg.Secrets.Entries[i].Name in addition to the existing module-form (secrets.generate / secrets.requires) path. This unblocks core-dump PR #190 which uses top-level secrets.generate to declare STAGING_PG_PASSWORD; before this fix wfctl infra align --strict fired a false-positive R-A4 FAIL because the unresolved env var ${STAGING_PG_PASSWORD} couldn't be matched against a known secret key. Adds two pinning tests: - TestInfraAlign_RA4_TopLevelSecretsGenerate_DoesNotFire - TestInfraAlign_RA4_TopLevelSecretsEntries_DoesNotFire Existing module-form R-A4 tests remain green (no regression). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates wfctl infra align so R-A4 treats secrets declared in the canonical top-level secrets: block as valid env-var resolution sources, reducing false positives in infrastructure config validation.
Changes:
- Extend
buildAlignContextto seed secret keys from top-levelsecrets.generate[].keyandsecrets.entries[].name. - Add regression tests covering top-level
secrets.generateandsecrets.entriesfor R-A4. - Keep existing module-form
secrets.generatehandling unchanged while broadening top-level config support.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
cmd/wfctl/infra_align_rules.go |
Adds top-level secret key collection so R-A4 can recognize canonical secrets: declarations. |
cmd/wfctl/infra_align_test.go |
Adds R-A4 regression tests for top-level secrets.generate and secrets.entries. |
⏱ Benchmark Results✅ No significant performance regressions detected. benchstat comparison (baseline → PR)
|
processImports previously dropped imported WorkflowConfig.Secrets blocks,
so a `secrets:` declaration in shared.yaml never reached the loaded
parent config. R-A4 (and R-A9) consult cfg.Secrets via buildAlignContext;
without the merge, an env var resolved by an imported secrets.generate /
secrets.entries entry continued to false-positive as unresolved.
Merge semantics match the rest of processImports:
- DefaultStore / Provider / Config / Rotation: parent wins; imported
value adopted only when parent's field is unset.
- Generate slice: append imported entries; dedupe by Key (parent first).
- Entries slice: append imported entries; dedupe by Name (parent first).
Tests:
- config: TestLoadFromFile_ImportSecretsMerge (precedence + dedupe);
TestLoadFromFile_ImportSecretsOnlyInImport (cfg.Secrets nil
before fix, populated after).
- wfctl: TestInfraAlign_RA4_TopLevelSecrets_FromImport_DoesNotFire
(verified to FAIL without the merge — proves the bug + fix).
Addresses Copilot inline review on PR #550.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…fig (workflow#541) Two follow-on fixes from Copilot round-2 review on PR #550: 1. SecretStores merge: ResolveSecretStore / getProviderForStore look up store names against WorkflowConfig.SecretStores. processImports previously dropped that map entirely; an imported `defaultStore` or `entries[*].store` reference would later be treated as a raw provider name and fail with unknown-provider. Now merged with parent-wins per-key dedupe (matching Workflows / Triggers / Pipelines / Platform / Plugins.External semantics). 2. Secrets.Config per-key merge: previously the entire imported map was discarded as soon as the main file defined any key, breaking the shared-defaults + local-override pattern (e.g. import provides {repo, token_env, api_url}; main only overrides {token_env}). Now per-key merge: imported keys absent from main survive, main wins on key conflicts. 3. Comment-typo fix in config_import_test.go (missing space). Tests: - TestProcessImports_MergesSecretStoresFromImport - TestProcessImports_SecretsConfigMergesPerKey_LocalOverride Both verified to FAIL without their respective fix. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…IDs (workflow#541)
Round-3 review surfaced a third missing merge surface in processImports.
This commit closes it and audits the remaining WorkflowConfig fields so
the cascade ends here.
Field audit of WorkflowConfig vs processImports merge coverage:
Already merged BEFORE this PR:
Modules, Workflows, Triggers, Pipelines, Platform, Plugins.External,
Sidecars
Merged in earlier commits of this PR (#550):
Secrets (Generate dedupe-by-Key, Entries dedupe-by-Name, Config
per-key, scalars parent-wins), SecretStores (per-store dedupe-by-name)
Merged in THIS commit:
Environments (per-env dedupe-by-name, parent-wins) — closes the
finding that ResolveSecretStore consults
Environments[env].SecretsStoreOverride and dropping it routes
secrets to the wrong backend.
Intentionally NOT merged (out-of-scope follow-ups for #541):
Requires, Infrastructure, Engine, CI, Infra, Services, Mesh,
Networking, Security — these are all single-document config blocks
where merge semantics need separate design + dedicated regression
tests; will file follow-up issues.
Test fixture cleanup (Copilot round-3 nits): use canonical provider IDs
`aws-secrets-manager` and `gcp-secret-manager` (per docs/dsl-reference.md
and cmd/wfctl/wizard.go). Fixtures double as copy-paste examples; using
unsupported spellings in tests is a footgun.
Tests:
- TestProcessImports_MergesEnvironmentsFromImport — verified to FAIL
without the new merge (`expected Environments[staging] from import`).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 5, 2026
This was referenced May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wfctl infra align --strictpreviously fired a false-positiveR-A4 FAILfor env-var tokens that resolve via the top-levelsecrets.generate/secrets.entriesblocks.buildAlignContextonly populatedctx.secretKeysfrom the module-form (secrets.generate/secrets.requiresmodules), so any config using the canonical top-levelsecrets:block was unfairly flagged.This PR fixes the original W-541 align bug. During Copilot review, three additional incomplete-merge surfaces in
config.processImportswere surfaced and addressed in follow-on commits to keep the import-merge logic internally consistent. Two further direct-parsing-caller paths (parseSecretsConfig,wfctl secrets) were scope-cut to follow-up issues for separate PRs.Closes workflow#541. Unblocks core-dump PR #190 (which uses inline top-level
secrets.generateto declareSTAGING_PG_PASSWORD; verified against the actual config — noimports:involved).Scope (delta from original spec)
The original plan limited this PR to
buildAlignContext+ 2 align tests. Copilot review surfaced thatconfig.processImportswas missing several merge surfaces that the new align behavior would expose. Rather than ship a half-fix, the import-merge work was completed in the same PR. Honest scope:1. Original W-541 fix — R-A4 align rule (commit
abc2db8c)cmd/wfctl/infra_align_rules.go: extendbuildAlignContext's top-level-secrets branch to also seedctx.secretKeysfromcfg.Secrets.Generate[].Keyandcfg.Secrets.Entries[].Name.TestInfraAlign_RA4_TopLevelSecretsGenerate_DoesNotFire,TestInfraAlign_RA4_TopLevelSecretsEntries_DoesNotFire.2. processImports — Secrets merge (commit
8632612f)config/config.go:processImportsnow mergesWorkflowConfig.Secrets. Generate (dedupe by Key), Entries (dedupe by Name), scalars parent-wins.TestLoadFromFile_ImportSecretsMerge,TestLoadFromFile_ImportSecretsOnlyInImport,TestInfraAlign_RA4_TopLevelSecrets_FromImport_DoesNotFire.3. processImports — SecretStores + Secrets.Config per-key merge (commit
dd81421d)config/config.go: mergeWorkflowConfig.SecretStores(per-store dedupe by name); changeSecrets.Configfrom all-or-nothing to per-key merge to support shared-defaults + local-override pattern.TestProcessImports_MergesSecretStoresFromImport,TestProcessImports_SecretsConfigMergesPerKey_LocalOverride.4. processImports — Environments merge + canonical provider IDs (commit
30bc8bc8)config/config.go: mergeWorkflowConfig.Environmentsper-env (parent wins).ResolveSecretStoreconsultsEnvironments[env].SecretsStoreOverride; without merge, imported overrides drop and secrets route to wrong backend.aws-secrets-managerandgcp-secret-manager(perdocs/dsl-reference.mdandcmd/wfctl/wizard.go).TestProcessImports_MergesEnvironmentsFromImport.A complete
WorkflowConfigfield audit is documented in commit30bc8bc8's body. Remaining unmerged top-level fields (Requires, Infrastructure, Engine, CI, Infra, Services, Mesh, Networking, Security) are intentionally out-of-scope follow-ups — none are referenced by the alignment-rule code path that motivated this PR.Follow-up issues
The merge work in this PR only benefits callers that go through
config.LoadFromFile. Two direct-parsing-caller paths still bypassprocessImportsand were scope-cut to keep this PR focused:parseSecretsConfig(cmd/wfctl/infra_bootstrap.go,cmd/wfctl/infra.go) raw-unmarshals only the current file. After this PR,wfctl infra aligncorrectly resolves importedsecrets.generatekeys, butwfctl infra bootstrapwill silently skip generation of those secrets.wfctl secretsfamily (loadSecretsConfig,runSecretsSetup) parses YAML directly. Configs that movesecrets.entries/secretStores/ per-env overrides into shared imports will look empty or route to the wrong store insecrets get/validate/export/setup.Both are mechanical refactors (call
config.LoadFromFileinstead ofyaml.Unmarshal) but have a wide enough blast radius to deserve their own PR + regression test coverage.Test plan
GOWORK=off go test -race -count=1 ./config/ ./cmd/wfctl/— greenTestInfraAlign_RA4_SecretsGenerate_DoesNotFire) and all import precedence tests still passgo.mod/go.sumchanges (theGo Mod Tidyfailure on this PR is pre-existing AWS SDK drift onmain, unrelated to this change)Design reference
docs/plans/2026-05-05-iac-deferred-cleanup-design.md(PR 1, W-541). v0.21.1 will be cut after this merges.Rollback
Revert the squash commit on
main. Stopgap fallback is the env-var export pattern in core-dump'sdeploy.ymlalign step (STAGING_PG_PASSWORD,STAGING_VPC_UUID).