refactor: Fetch registry SSH keys on executor worker#2550
Conversation
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
|
✅ No security or compliance issues detected. Reviewed everything up to 8161188. Security OverviewDetected Code Changes
|
This comment has been minimized.
This comment has been minimized.
daryllimyt
force-pushed
the
codex/registry-sync-worker-ssh-key
branch
from
c819c06 to
70c09ba
Compare
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c819c06a27
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 047e33b45a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 047e33b45a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="tracecat/registry/sync/base_service.py">
<violation number="1" location="tracecat/registry/sync/base_service.py:602">
P1: Do not catch all exceptions for the preflight secret check; it masks non-not-found failures as "missing secret".</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
daryllimyt
temporarily deployed
to
internal-registry-ci
GitHub Actions
Inactive
1 participant
Summary
RegistrySyncRequestTemporal payloads.ssh_keyin request payloads.Why
Sandboxed registry sync runs the git clone inside the executor worker, but the previous implementation resolved the private key in the API service and carried it through the workflow/activity request. This change keeps Temporal workflow and activity payloads limited to non-secret lookup context, so the key only exists in the worker process at clone time.
Validation
uv run ruff check tracecat/registry/sync/schemas.py tracecat/registry/sync/base_service.py tracecat/registry/sync/runner.py tests/unit/test_registry_sync_runner.pyuv run ruff format --check tracecat/registry/sync/schemas.py tracecat/registry/sync/base_service.py tracecat/registry/sync/runner.py tests/unit/test_registry_sync_runner.pyuv run basedpyright tracecat/registry/sync/schemas.py tracecat/registry/sync/base_service.py tracecat/registry/sync/runner.py tests/unit/test_registry_sync_runner.pyFocused pytest was not completed after the worktree move because the repo test session fixtures require local services; the earlier run was interrupted before completion.
Summary by cubic
Fetch org-scoped registry SSH keys on the executor worker right before git clone, and ignore any legacy
ssh_keyin Temporal payloads. Adds role-scoped secret access and clearer preflight failures to reduce secret exposure and improve reliability.Refactors
ssh_keyfromRegistrySyncRequest; accept legacy payloads withextra="ignore".organization_id; API only preflights that the secret exists before scheduling._fetch_registry_ssh_key(...), passes it to_clone_repository(...), and forwardsorganization_idto discovery.Bug Fixes
Written for commit 8161188. Summary will update on new commits.