Skip to content

wfctl secrets: use config.LoadFromFile to honor imports: directives#560

Merged
intel352 merged 4 commits into
mainfrom
copilot/fix-wfctl-secrets-commands-parsing
May 6, 2026
Merged

wfctl secrets: use config.LoadFromFile to honor imports: directives#560
intel352 merged 4 commits into
mainfrom
copilot/fix-wfctl-secrets-commands-parsing

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 6, 2026
edited
Loading

All wfctl secrets subcommands (get, validate, list, set, rotate, sync, setup, detect) and infra post-apply secret sync were reading YAML directly via os.ReadFile + yaml.Unmarshal, skipping config.LoadFromFile's import-merge pipeline. Secrets, secret stores, and per-environment overrides declared only in imported files were invisible to these commands.

Changes

  • secrets_detect.gorunSecretsDetect, loadSecretsConfig, loadWorkflowConfigForSecrets: replace direct unmarshal with config.LoadFromFile; missing-file fallbacks now use errors.Is(err, os.ErrNotExist) to handle the wrapped error; remove unused yaml import.
  • secrets_setup.gorunSecretsSetup: replace direct unmarshal with config.LoadFromFile; replace resolveSecretStoreForSetup + newSecretsProvider with ResolveSecretStore + getProviderForStore so environment-level overrides correctly use SecretsStoreOverride (not the unrelated SecretsProvider field) and named stores are looked up from SecretStores; remove the now-redundant resolveSecretStoreForSetup function; remove unused yaml import.
  • infra_secrets.goparseSecretsConfig: replace direct unmarshal with config.LoadFromFile so infra bootstrap and post-apply secret sync see imported generate[] entries and stores.

Example — previously broken

# main.yaml
imports:
  - shared.yaml

# shared.yaml
secretStores:
  vault:
    provider: vault
    config:
      address: https://vault.example.com
secrets:
  defaultStore: vault
  entries:
    - name: API_TOKEN

Before: wfctl secrets get API_TOKEN fell back to the env provider (empty secrets: block). After: resolves to the vault store via the merged config.

Regression tests (secrets_imports_test.go)

  • loadSecretsConfig surfaces imported entries and defaultStore; main-file wins on conflicts, including duplicate entry names (no duplicates in merged result).
  • loadWorkflowConfigForSecrets surfaces imported secretStores.
  • parseSecretsConfig surfaces imported entries and generate[].
  • runSecretsValidate passes/fails correctly against imported entries.
  • ResolveSecretStore picks the imported defaultStore for secrets setup.

Copilot AI requested review from Copilot and removed request for Copilot May 6, 2026 04:42
Copilot AI linked an issue May 6, 2026 that may be closed by this pull request
wfctl secrets commands (loadSecretsConfig + runSecretsSetup) parse YAML directly — bypasses processImports merges #552
Closed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 6, 2026
edited
Loading

⏱ Benchmark Results

No significant performance regressions detected.

benchstat comparison (baseline → PR) 
## benchstat: baseline → PR
baseline-bench.txt:260: parsing iteration count: invalid syntax
baseline-bench.txt:313335: parsing iteration count: invalid syntax
baseline-bench.txt:563008: parsing iteration count: invalid syntax
baseline-bench.txt:878837: parsing iteration count: invalid syntax
baseline-bench.txt:1176606: parsing iteration count: invalid syntax
baseline-bench.txt:1459183: parsing iteration count: invalid syntax
benchmark-results.txt:260: parsing iteration count: invalid syntax
benchmark-results.txt:329706: parsing iteration count: invalid syntax
benchmark-results.txt:680890: parsing iteration count: invalid syntax
benchmark-results.txt:1000856: parsing iteration count: invalid syntax
benchmark-results.txt:1280814: parsing iteration count: invalid syntax
benchmark-results.txt:1628164: parsing iteration count: invalid syntax
goos: linux
goarch: amd64
pkg: github.com/GoCodeAlone/workflow/dynamic
cpu: AMD EPYC 7763 64-Core Processor                
                            │ baseline-bench.txt │        benchmark-results.txt        │
                            │       sec/op       │    sec/op      vs base              │
InterpreterCreation-4              3.673m ± 175%   3.294m ± 196%       ~ (p=0.485 n=6)
ComponentLoad-4                    3.554m ±   1%   3.505m ±   0%  -1.36% (p=0.002 n=6)
ComponentExecute-4                 1.931µ ±   1%   1.912µ ±   1%  -0.98% (p=0.002 n=6)
PoolContention/workers-1-4         1.078µ ±   1%   1.079µ ±   3%       ~ (p=0.981 n=6)
PoolContention/workers-2-4         1.083µ ±   3%   1.075µ ±   3%       ~ (p=0.180 n=6)
PoolContention/workers-4-4         1.085µ ±   1%   1.077µ ±   1%       ~ (p=0.310 n=6)
PoolContention/workers-8-4         1.082µ ±   1%   1.085µ ±   1%       ~ (p=1.000 n=6)
PoolContention/workers-16-4        1.090µ ±   4%   1.080µ ±   1%       ~ (p=0.058 n=6)
ComponentLifecycle-4               3.573m ±   2%   3.547m ±   1%  -0.73% (p=0.002 n=6)
SourceValidation-4                 2.234µ ±   1%   2.236µ ±   1%       ~ (p=0.535 n=6)
RegistryConcurrent-4               811.1n ±   2%   775.4n ±   5%  -4.41% (p=0.026 n=6)
LoaderLoadFromString-4             3.617m ±   2%   3.556m ±   1%       ~ (p=0.093 n=6)
geomean                            17.60µ          17.27µ         -1.83%

                            │ baseline-bench.txt │        benchmark-results.txt         │
                            │        B/op        │     B/op      vs base                │
InterpreterCreation-4               2.027Mi ± 0%   2.027Mi ± 0%       ~ (p=0.366 n=6)
ComponentLoad-4                     2.180Mi ± 0%   2.180Mi ± 0%       ~ (p=0.937 n=6)
ComponentExecute-4                  1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-1-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-2-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-4-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-8-4          1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-16-4         1.203Ki ± 0%   1.203Ki ± 0%       ~ (p=1.000 n=6) ¹
ComponentLifecycle-4                2.183Mi ± 0%   2.183Mi ± 0%       ~ (p=0.972 n=6)
SourceValidation-4                  1.984Ki ± 0%   1.984Ki ± 0%       ~ (p=1.000 n=6) ¹
RegistryConcurrent-4                1.133Ki ± 0%   1.133Ki ± 0%       ~ (p=1.000 n=6) ¹
LoaderLoadFromString-4              2.182Mi ± 0%   2.182Mi ± 0%       ~ (p=0.558 n=6)
geomean                             15.25Ki        15.25Ki       -0.00%
¹ all samples are equal

                            │ baseline-bench.txt │        benchmark-results.txt        │
                            │     allocs/op      │  allocs/op   vs base                │
InterpreterCreation-4                15.68k ± 0%   15.68k ± 0%       ~ (p=1.000 n=6)
ComponentLoad-4                      18.02k ± 0%   18.02k ± 0%       ~ (p=1.000 n=6)
ComponentExecute-4                    25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-1-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-2-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-4-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-8-4            25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
PoolContention/workers-16-4           25.00 ± 0%    25.00 ± 0%       ~ (p=1.000 n=6) ¹
ComponentLifecycle-4                 18.07k ± 0%   18.07k ± 0%       ~ (p=1.000 n=6) ¹
SourceValidation-4                    32.00 ± 0%    32.00 ± 0%       ~ (p=1.000 n=6) ¹
RegistryConcurrent-4                  2.000 ± 0%    2.000 ± 0%       ~ (p=1.000 n=6) ¹
LoaderLoadFromString-4               18.06k ± 0%   18.06k ± 0%       ~ (p=1.000 n=6) ¹
geomean                               183.3         183.3       +0.00%
¹ all samples are equal

pkg: github.com/GoCodeAlone/workflow/middleware
                                  │ baseline-bench.txt │       benchmark-results.txt       │
                                  │       sec/op       │   sec/op     vs base              │
CircuitBreakerDetection-4                  284.2n ± 8%   293.4n ± 5%       ~ (p=0.669 n=6)
CircuitBreakerExecution_Success-4          21.52n ± 0%   21.51n ± 0%       ~ (p=0.784 n=6)
CircuitBreakerExecution_Failure-4          65.80n ± 0%   66.20n ± 0%  +0.62% (p=0.002 n=6)
geomean                                    73.82n        74.76n       +1.28%

                                  │ baseline-bench.txt │       benchmark-results.txt        │
                                  │        B/op        │    B/op     vs base                │
CircuitBreakerDetection-4                 144.0 ± 0%     144.0 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Success-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Failure-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                              ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                  │ baseline-bench.txt │       benchmark-results.txt        │
                                  │     allocs/op      │ allocs/op   vs base                │
CircuitBreakerDetection-4                 1.000 ± 0%     1.000 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Success-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
CircuitBreakerExecution_Failure-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                              ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/module
                                 │ baseline-bench.txt │       benchmark-results.txt        │
                                 │       sec/op       │    sec/op     vs base              │
JQTransform_Simple-4                     884.7n ± 32%   862.1n ± 30%       ~ (p=0.132 n=6)
JQTransform_ObjectConstruction-4         1.469µ ±  1%   1.434µ ±  1%  -2.42% (p=0.002 n=6)
JQTransform_ArraySelect-4                3.337µ ±  2%   3.295µ ±  1%  -1.26% (p=0.009 n=6)
JQTransform_Complex-4                    38.58µ ±  1%   38.24µ ±  0%  -0.87% (p=0.002 n=6)
JQTransform_Throughput-4                 1.780µ ±  1%   1.757µ ±  0%  -1.29% (p=0.002 n=6)
SSEPublishDelivery-4                     71.88n ± 42%   74.48n ±  1%       ~ (p=0.394 n=6)
geomean                                  1.666µ         1.653µ        -0.82%

                                 │ baseline-bench.txt │        benchmark-results.txt         │
                                 │        B/op        │     B/op      vs base                │
JQTransform_Simple-4                   1.273Ki ± 0%     1.273Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ObjectConstruction-4       1.773Ki ± 0%     1.773Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ArraySelect-4              2.625Ki ± 0%     2.625Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Complex-4                  16.22Ki ± 0%     16.22Ki ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Throughput-4               1.984Ki ± 0%     1.984Ki ± 0%       ~ (p=1.000 n=6) ¹
SSEPublishDelivery-4                     0.000 ± 0%       0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                             ²                 +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                 │ baseline-bench.txt │       benchmark-results.txt        │
                                 │     allocs/op      │ allocs/op   vs base                │
JQTransform_Simple-4                     10.00 ± 0%     10.00 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ObjectConstruction-4         15.00 ± 0%     15.00 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_ArraySelect-4                30.00 ± 0%     30.00 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Complex-4                    324.0 ± 0%     324.0 ± 0%       ~ (p=1.000 n=6) ¹
JQTransform_Throughput-4                 17.00 ± 0%     17.00 ± 0%       ~ (p=1.000 n=6) ¹
SSEPublishDelivery-4                     0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                             ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/schema
                                    │ baseline-bench.txt │       benchmark-results.txt       │
                                    │       sec/op       │   sec/op     vs base              │
SchemaValidation_Simple-4                    1.099µ ± 8%   1.112µ ± 6%       ~ (p=0.699 n=6)
SchemaValidation_AllFields-4                 1.661µ ± 1%   1.681µ ± 4%       ~ (p=0.485 n=6)
SchemaValidation_FormatValidation-4          1.573µ ± 1%   1.606µ ± 2%  +2.10% (p=0.048 n=6)
SchemaValidation_ManySchemas-4               1.801µ ± 2%   1.814µ ± 2%       ~ (p=0.420 n=6)
geomean                                      1.508µ        1.528µ       +1.31%

                                    │ baseline-bench.txt │       benchmark-results.txt        │
                                    │        B/op        │    B/op     vs base                │
SchemaValidation_Simple-4                   0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_AllFields-4                0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_FormatValidation-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_ManySchemas-4              0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                                ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                    │ baseline-bench.txt │       benchmark-results.txt        │
                                    │     allocs/op      │ allocs/op   vs base                │
SchemaValidation_Simple-4                   0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_AllFields-4                0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_FormatValidation-4         0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
SchemaValidation_ManySchemas-4              0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                                ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

pkg: github.com/GoCodeAlone/workflow/store
                                   │ baseline-bench.txt │       benchmark-results.txt        │
                                   │       sec/op       │    sec/op     vs base              │
EventStoreAppend_InMemory-4                1.259µ ± 13%   1.296µ ± 20%       ~ (p=0.937 n=6)
EventStoreAppend_SQLite-4                  1.496m ± 10%   1.491m ±  2%       ~ (p=0.699 n=6)
GetTimeline_InMemory/events-10-4           13.74µ ±  3%   13.38µ ±  2%       ~ (p=0.065 n=6)
GetTimeline_InMemory/events-50-4           68.44µ ± 15%   75.69µ ±  2%       ~ (p=0.485 n=6)
GetTimeline_InMemory/events-100-4          123.7µ ±  2%   119.1µ ±  1%  -3.74% (p=0.002 n=6)
GetTimeline_InMemory/events-500-4          632.1µ ±  1%   611.2µ ±  0%  -3.30% (p=0.002 n=6)
GetTimeline_InMemory/events-1000-4         1.295m ±  1%   1.254m ±  1%  -3.17% (p=0.002 n=6)
GetTimeline_SQLite/events-10-4             107.0µ ±  1%   104.6µ ±  2%  -2.28% (p=0.015 n=6)
GetTimeline_SQLite/events-50-4             248.2µ ±  0%   241.0µ ±  1%  -2.89% (p=0.002 n=6)
GetTimeline_SQLite/events-100-4            417.2µ ±  0%   406.4µ ±  0%  -2.59% (p=0.002 n=6)
GetTimeline_SQLite/events-500-4            1.795m ±  0%   1.748m ± 22%       ~ (p=0.065 n=6)
GetTimeline_SQLite/events-1000-4           3.513m ±  1%   3.401m ±  1%  -3.19% (p=0.002 n=6)
geomean                                    219.5µ         216.9µ        -1.18%

                                   │ baseline-bench.txt │        benchmark-results.txt         │
                                   │        B/op        │     B/op      vs base                │
EventStoreAppend_InMemory-4                  810.5 ± 8%     789.5 ± 6%       ~ (p=0.407 n=6)
EventStoreAppend_SQLite-4                  1.987Ki ± 2%   1.987Ki ± 2%       ~ (p=0.900 n=6)
GetTimeline_InMemory/events-10-4           7.953Ki ± 0%   7.953Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-50-4           46.62Ki ± 0%   46.62Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-100-4          94.48Ki ± 0%   94.48Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-500-4          472.8Ki ± 0%   472.8Ki ± 0%       ~ (p=0.545 n=6)
GetTimeline_InMemory/events-1000-4         944.3Ki ± 0%   944.3Ki ± 0%       ~ (p=0.141 n=6)
GetTimeline_SQLite/events-10-4             16.74Ki ± 0%   16.74Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-50-4             87.14Ki ± 0%   87.14Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-100-4            175.4Ki ± 0%   175.4Ki ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-500-4            846.1Ki ± 0%   846.1Ki ± 0%       ~ (p=0.056 n=6)
GetTimeline_SQLite/events-1000-4           1.639Mi ± 0%   1.639Mi ± 0%       ~ (p=0.121 n=6)
geomean                                    67.50Ki        67.35Ki       -0.22%
¹ all samples are equal

                                   │ baseline-bench.txt │        benchmark-results.txt        │
                                   │     allocs/op      │  allocs/op   vs base                │
EventStoreAppend_InMemory-4                  7.000 ± 0%    7.000 ± 0%       ~ (p=1.000 n=6) ¹
EventStoreAppend_SQLite-4                    53.00 ± 0%    53.00 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-10-4             125.0 ± 0%    125.0 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-50-4             653.0 ± 0%    653.0 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-100-4           1.306k ± 0%   1.306k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-500-4           6.514k ± 0%   6.514k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_InMemory/events-1000-4          13.02k ± 0%   13.02k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-10-4               382.0 ± 0%    382.0 ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-50-4              1.852k ± 0%   1.852k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-100-4             3.681k ± 0%   3.681k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-500-4             18.54k ± 0%   18.54k ± 0%       ~ (p=1.000 n=6) ¹
GetTimeline_SQLite/events-1000-4            37.29k ± 0%   37.29k ± 0%       ~ (p=1.000 n=6) ¹
geomean                                     1.162k        1.162k       +0.00%
¹ all samples are equal

Benchmarks run with go test -bench=. -benchmem -count=6.
Regressions ≥ 20% are flagged. Results compared via benchstat.

@intel352
Fix wfctl secrets commands to use config.LoadFromFile for imports sup…
67db83e 
…port

- Replace direct os.ReadFile+yaml.Unmarshal in loadSecretsConfig,
  loadWorkflowConfigForSecrets, and runSecretsDetect in secrets_detect.go
  with config.LoadFromFile so import directives are honored
- Replace direct os.ReadFile+yaml.Unmarshal in runSecretsSetup in
  secrets_setup.go with config.LoadFromFile
- Replace direct os.ReadFile+yaml.Unmarshal in parseSecretsConfig in
  infra_secrets.go with config.LoadFromFile
- Remove now-unused gopkg.in/yaml.v3 imports from secrets_detect.go
  and secrets_setup.go
- Add regression tests in secrets_imports_test.go covering imported
  entries, secretStores, defaultStore resolution, and validate behavior

Agent-Logs-Url: https://github.com/GoCodeAlone/workflow/sessions/29c5afe6-a4f0-4dce-9a30-b911e006cc4b

Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
Copilot AI requested review from Copilot and removed request for Copilot May 6, 2026 04:58
Copilot AI changed the title [WIP] Fix wfctl secrets commands to parse config through imports wfctl secrets: use config.LoadFromFile to honor imports: directives May 6, 2026
Copilot AI requested a review from intel352 May 6, 2026 05:00
@intel352 intel352 marked this pull request as ready for review May 6, 2026 06:01
Copilot AI review requested due to automatic review settings May 6, 2026 06:01
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates wfctl secrets and infra secret-sync paths to load workflow configuration via config.LoadFromFile so imports: directives are honored, ensuring secrets, secret stores, and per-environment overrides defined in imported YAML files are visible to these commands.

Changes:

  • Replace os.ReadFile + yaml.Unmarshal with config.LoadFromFile in secrets-related command loaders and infra secrets parsing.
  • Improve missing-config handling by switching to errors.Is(err, os.ErrNotExist) where LoadFromFile wraps errors.
  • Add regression tests covering secrets/import merge behavior across wfctl secrets + infra secret parsing.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
cmd/wfctl/secrets_setup.go Loads merged config via config.LoadFromFile so secrets setup can see imported secrets/defaultStore.
cmd/wfctl/secrets_detect.go Uses config.LoadFromFile for secrets config loading and missing-file fallbacks compatible with wrapped errors.
cmd/wfctl/infra_secrets.go Parses secrets config via config.LoadFromFile so infra bootstrap/post-apply secret sync sees imported secrets: content.
cmd/wfctl/secrets_imports_test.go Adds tests asserting imports are honored for secrets entries/defaultStore/secretStores and infra secrets parsing.

Comment thread cmd/wfctl/secrets_setup.go Outdated
Comment thread cmd/wfctl/infra_secrets.go Outdated
Comment thread cmd/wfctl/secrets_imports_test.go
Comment on lines +63 to +79
// TestLoadSecretsConfig_MainWinsOverImport verifies that when the same entry
// is declared in both main and imported files, the main file's definition wins.
func TestLoadSecretsConfig_MainWinsOverImport(t *testing.T) {
dir := t.TempDir()

shared := `secrets:
defaultStore: imported-store
entries:
- name: SHARED_SECRET
`
main := `imports:
- shared.yaml
secrets:
defaultStore: main-store
entries:
- name: MAIN_SECRET
`
Comment thread cmd/wfctl/secrets_imports_test.go Outdated
@intel352
Copy link
Copy Markdown
Contributor

intel352 commented May 6, 2026

@copilot apply changes based on the comments in this thread

@intel352
Address review feedback on secrets setup and test improvements
9143418 
- Replace resolveSecretStoreForSetup+newSecretsProvider in runSecretsSetup
  with ResolveSecretStore+getProviderForStore to correctly use
  SecretsStoreOverride (not SecretsProvider) for env-level overrides and
  to properly look up named stores from SecretStores map
- Remove the now-redundant resolveSecretStoreForSetup function
- Fix parseSecretsConfig comment: remove misleading mention of secretStores
  (the function only returns cfg.Secrets, not SecretStores)
- Improve TestLoadSecretsConfig_MainWinsOverImport: add a duplicate entry
  name in both files to actually exercise conflict-resolution (main wins)
  and assert no duplicates in the merged result
- Update TestSecretsSetup_HonorsImportedDefaultStore: remove leftover
  dead scaffolding (entry/_ = entry) and use ResolveSecretStore directly

Agent-Logs-Url: https://github.com/GoCodeAlone/workflow/sessions/570bc092-953b-4c28-873c-ba02086b0ad6

Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 6, 2026

@copilot apply changes based on the comments in this thread

Applied all four review changes in commit 9143418:

  1. secrets_setup.go:55 — Replaced resolveSecretStoreForSetup + newSecretsProvider with ResolveSecretStore + getProviderForStore. This fixes the env-level override to use SecretsStoreOverride (matching the runtime resolution path) and correctly looks up named stores from the SecretStores map. The now-redundant resolveSecretStoreForSetup function is removed.

  2. infra_secrets.go:22-24 — Fixed the comment to say "merged secrets section (entries, defaultStore, generate, etc.)" instead of the misleading "imported secretStores".

  3. secrets_imports_test.go:63-79TestLoadSecretsConfig_MainWinsOverImport now includes a DUPLICATE_SECRET entry in both files with different descriptions, and asserts that the main definition wins, the unique entries from both files are present, and no entry appears more than once.

  4. secrets_imports_test.go:282-288 — Removed the dead entry/_ = entry scaffolding from TestSecretsSetup_HonorsImportedDefaultStore and updated it to call ResolveSecretStore directly.

@intel352 intel352 merged commit 9ef8665 into main May 6, 2026
20 checks passed
@intel352 intel352 deleted the copilot/fix-wfctl-secrets-commands-parsing branch May 6, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@intel352 intel352 Awaiting requested review from intel352

Assignees

@intel352 intel352

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

wfctl secrets commands (loadSecretsConfig + runSecretsSetup) parse YAML directly — bypasses processImports merges

3 participants

@intel352