wfctl secrets: use config.LoadFromFile to honor imports: directives

cmd/wfctl/infra_secrets.go

@@ -19,20 +19,16 @@ type SecretsConfig = config.SecretsConfig
 type SecretGen = config.SecretGen
 type InfraConfig = config.InfraConfig
 
-// parseSecretsConfig reads the "secrets:" top-level key from a YAML file.
-// Returns nil, nil if the section is absent.
+// parseSecretsConfig reads the "secrets:" top-level key from a YAML file,
+// honoring any imports: directives so that the merged secrets section
+// (entries, defaultStore, generate, etc.) is visible to callers.
+// Returns nil, nil if the section is absent after merging.
 func parseSecretsConfig(cfgFile string) (*SecretsConfig, error) {
-	data, err := os.ReadFile(cfgFile)
+	cfg, err := config.LoadFromFile(cfgFile)
 	if err != nil {
-		return nil, fmt.Errorf("read %s: %w", cfgFile, err)
-	}
-	var parsed struct {
-		Secrets *SecretsConfig `yaml:"secrets"`
-	}
-	if err := yaml.Unmarshal(data, &parsed); err != nil {
-		return nil, fmt.Errorf("parse secrets config %s: %w", cfgFile, err)
+		return nil, fmt.Errorf("load config %s: %w", cfgFile, err)
 	}
-	return parsed.Secrets, nil
+	return cfg.Secrets, nil
 }
 
 // parseInfraConfig reads the "infra:" top-level section from a YAML file.

cmd/wfctl/secrets_detect.go

@@ -13,7 +13,6 @@ import (
 	"github.com/GoCodeAlone/workflow/secrets"
 	"github.com/mattn/go-isatty"
 	"golang.org/x/term"
-	"gopkg.in/yaml.v3"
 )
 
 // secretFieldPatterns are field name substrings that indicate a secret value.
@@ -35,16 +34,12 @@ func runSecretsDetect(args []string) error {
 		return err
 	}
 
-	data, err := os.ReadFile(*configFile)
+	cfg, err := config.LoadFromFile(*configFile)
 	if err != nil {
-		return fmt.Errorf("read config: %w", err)
-	}
-	var cfg config.WorkflowConfig
-	if err := yaml.Unmarshal(data, &cfg); err != nil {
-		return fmt.Errorf("parse config: %w", err)
+		return fmt.Errorf("load config: %w", err)
 	}
 
-	detected := detectSecrets(&cfg)
+	detected := detectSecrets(cfg)
 	if len(detected) == 0 {
 		fmt.Println("No secret-like values detected.")
 		return nil
@@ -336,23 +331,19 @@ func secretStateLabel(state SecretState) string {
 // loadWorkflowConfigForSecrets loads the full WorkflowConfig for secret operations.
 // Falls back to a default env-provider config if the file does not exist.
 func loadWorkflowConfigForSecrets(configFile string) (*config.WorkflowConfig, error) {
-	data, err := os.ReadFile(configFile)
+	cfg, err := config.LoadFromFile(configFile)
 	if err != nil {
-		if os.IsNotExist(err) {
+		if errors.Is(err, os.ErrNotExist) {
 			return &config.WorkflowConfig{ //nolint:nilerr // gracefully fall back when file is absent
 				Secrets: &config.SecretsConfig{Provider: "env"},
 			}, nil
 		}
-		return nil, fmt.Errorf("read config: %w", err)
-	}
-	var cfg config.WorkflowConfig
-	if err := yaml.Unmarshal(data, &cfg); err != nil {
-		return nil, fmt.Errorf("parse config: %w", err)
+		return nil, fmt.Errorf("load config: %w", err)
 	}
 	if cfg.Secrets == nil {
 		cfg.Secrets = &config.SecretsConfig{Provider: "env"}
 	}
-	return &cfg, nil
+	return cfg, nil
 }
 
 func runSecretsValidate(args []string) error {
@@ -486,16 +477,12 @@ func runSecretsSync(args []string) error {
 // loadSecretsConfig reads a workflow config and returns its SecretsConfig.
 // Returns a default env-provider config if no secrets: section is defined.
 func loadSecretsConfig(configFile string) (*config.SecretsConfig, error) {
-	data, err := os.ReadFile(configFile)
+	cfg, err := config.LoadFromFile(configFile)
 	if err != nil {
-		if os.IsNotExist(err) {
+		if errors.Is(err, os.ErrNotExist) {
 			return &config.SecretsConfig{Provider: "env"}, nil //nolint:nilerr // gracefully fall back when file is absent
 		}
-		return nil, fmt.Errorf("read config %q: %w", configFile, err)
-	}
-	var cfg config.WorkflowConfig
-	if err := yaml.Unmarshal(data, &cfg); err != nil {
-		return nil, fmt.Errorf("parse config: %w", err)
+		return nil, fmt.Errorf("load config %q: %w", configFile, err)
 	}
 	if cfg.Secrets == nil {
 		return &config.SecretsConfig{Provider: "env"}, nil