Skip to content

fix: resolve env-provider secrets in parent before subprocess filtering#1853

Merged
yottahmd merged 1 commit intomainfrom
fix/1852-secret-from-env
Mar 24, 2026
Merged

fix: resolve env-provider secrets in parent before subprocess filtering#1853
yottahmd merged 1 commit intomainfrom
fix/1852-secret-from-env

Conversation

@yottahmd
Copy link
Copy Markdown
Collaborator

@yottahmd yottahmd commented Mar 24, 2026
edited by coderabbitai Bot
Loading

Summary

  • When Dagu spawns a subprocess (start, restart, retry), the child process inherits a filtered environment that may exclude variables used by env-provider secrets, causing secret resolution to fail
  • Added preResolveEnvSecrets() which looks up env-provider secret source variables in the parent process and passes them to the subprocess via _DAGU_PRESOLVED_SECRET_<KEY> transport env vars
  • Updated the env secret resolver to check for presolved prefix vars as a fallback when the original env var is not in scope
  • Filtered _DAGU_PRESOLVED_SECRET_* vars from EnvScope so they never leak into step environments
  • Updated TaskStart and TaskRetry signatures to accept optional secret hints for distributed worker mode

Testing

  • make test TEST_TARGET=./internal/cmn/eval/... -count=1
  • make test TEST_TARGET=./internal/cmn/secrets/... -count=1
  • make test TEST_TARGET=./internal/runtime/... -count=1

Closes #1852

Summary by CodeRabbit

Release Notes

  • New Features
    • Introduced support for pre-resolved environment-based secrets that are injected into subprocess environments
    • Pre-resolved secrets now take precedence during secret resolution over standard environment variables
    • Internal secret transport variables are excluded from normal environment scopes to prevent interference

@yottahmd
fix: resolve env-provider secrets in parent before subprocess filteri…
264a9d5 
…ng (#1852)

The env whitelist introduced in v2.3.3 filters os.Environ() before
passing it to agent subprocesses. This breaks env-provider secrets
that reference non-whitelisted variables, since os.LookupEnv in the
child only sees the filtered set.

Pre-resolve env-provider secret source variables in the parent process
and transport them via _DAGU_PRESOLVED_SECRET_<KEY>=<value> prefixed
env vars. The env resolver checks for these prefixed vars before its
normal os.LookupEnv fallback. The prefixed vars are filtered out of
EnvScope so they never leak to step commands.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Mar 24, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The PR implements a pre-resolution mechanism for environment-variable-based secrets to restore functionality broken in version 2.3.3. Env vars prefixed with _DAGU_PRESOLVED_SECRET_ are extracted from the process, injected into subprocesses, filtered from EnvScope, and checked by the secret resolver when original variables are unavailable.

Changes

Cohort / File(s) Summary
EnvScope Presolved Filtering
internal/cmn/eval/envscope.go, internal/cmn/eval/envscope_test.go		 Added internalSecretPrefix constant and logic to exclude OS environment variables with this prefix from EnvScope entries. Includes test verifying presolved secrets are excluded while normal variables are included.
Secret Resolver Presolved Handling
internal/cmn/secrets/env.go, internal/cmn/secrets/env_test.go		 Exported PresolvedEnvPrefix constant and updated envResolver.Resolve and CheckAccessibility to check presolved env vars as fallback. Tests verify resolution via presolved vars and confirm EnvScope precedence over presolved vars.
Pre-resolution Implementation
internal/runtime/presolved_secrets_test.go, internal/runtime/subcmd.go		 Introduced preResolveEnvSecrets() function to extract env-provider secrets from process environment, and integrated it into SubCmdBuilder.Start, Restart, Retry, and updated TaskStart/TaskRetry signatures to accept secret hints.
Signature Updates & Integration
internal/runtime/subcmd_test.go, internal/service/worker/handler.go		 Updated all TaskStart and TaskRetry call sites to pass nil or secret hint arguments; handler passes nil for presolved secrets.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • feat: isolate environment variables of workers #1581: Both PRs directly interact with _DAGU_PRESOLVED_SECRET_ prefixed environment variables—this PR adds filtering and pre-resolution logic while the retrieved PR defines the prefix constant and resolver integration.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main fix: resolving env-provider secrets in the parent process before subprocess filtering, which directly addresses the core issue.
Linked Issues check ✅ Passed All code changes comprehensively address the linked issue #1852: pre-resolving env-provider secrets in the parent process, transporting them via prefixed variables, and ensuring the resolver finds them despite subprocess environment filtering.
Out of Scope Changes check ✅ Passed All changes are directly scoped to fixing env-provider secret resolution: adding prefixed transport variables, updating the resolver, filtering transport vars from user scope, and passing secret hints to task builders.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/1852-secret-from-env

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
internal/runtime/subcmd.go (1)

169-209: ⚠️ Potential issue | 🔴 Critical

Worker handler should extract and pass secretHints to TaskStart.

The Enqueue and Dequeue methods correctly use b.env() without presolved secrets—they only queue/dequeue without executing subprocesses. However, TaskStart is called with nil secretHints in handler.go:90 even though the worker has task.Definition (the full DAG YAML) available.

The coordinator handler demonstrates the pattern at lines 272 and 357: load the DAG from task.Definition using spec.LoadYAML(), then extract dag.Secrets to pass as secretHints. When a DAG with env-provider secrets is enqueued and later started by a worker lacking access to the original env vars, preResolveEnvSecrets(nil) will fail to resolve them. Update buildCommandSpec to load the DAG definition and pass secretHints when calling TaskStart and TaskRetry.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/runtime/subcmd.go` around lines 169 - 209, buildCommandSpec
currently calls TaskStart/TaskRetry with nil secretHints causing env-provider
secrets to remain unresolved; load the DAG from the task definition (use
spec.LoadYAML(task.Definition)) inside buildCommandSpec, extract dag.Secrets,
and pass that as the secretHints argument to TaskStart and TaskRetry (mirror the
coordinator pattern used around the coordinator handler examples). Ensure you
handle LoadYAML errors and propagate them appropriately before calling
TaskStart/TaskRetry so preResolveEnvSecrets receives the correct dag.Secrets.
🧹 Nitpick comments (1)
internal/cmn/eval/envscope.go (1)

14-16: Consider adding verification that internalSecretPrefix stays synchronized with secrets.PresolvedEnvPrefix.

The constants currently match and the duplication is necessary to avoid circular imports. However, if secrets.PresolvedEnvPrefix ever changes, this constant must be updated manually. A build-time or test-time verification would help catch drift.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/cmn/eval/envscope.go` around lines 14 - 16, The duplicated constant
internalSecretPrefix can drift from secrets.PresolvedEnvPrefix; add an automated
check that fails CI if they differ by creating a test (e.g.,
TestPresolvedEnvPrefixSync) in a neutral test file that does not import either
package but reads the two source files (the file that defines
secrets.PresolvedEnvPrefix and internal/cmn/eval/envscope.go), extracts the
literal string values (via regexp or simple parsing), and asserts they are
identical so any change to one will break the test and force sync.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@internal/runtime/subcmd.go`:
- Around line 169-209: buildCommandSpec currently calls TaskStart/TaskRetry with
nil secretHints causing env-provider secrets to remain unresolved; load the DAG
from the task definition (use spec.LoadYAML(task.Definition)) inside
buildCommandSpec, extract dag.Secrets, and pass that as the secretHints argument
to TaskStart and TaskRetry (mirror the coordinator pattern used around the
coordinator handler examples). Ensure you handle LoadYAML errors and propagate
them appropriately before calling TaskStart/TaskRetry so preResolveEnvSecrets
receives the correct dag.Secrets.

---

Nitpick comments:
In `@internal/cmn/eval/envscope.go`:
- Around line 14-16: The duplicated constant internalSecretPrefix can drift from
secrets.PresolvedEnvPrefix; add an automated check that fails CI if they differ
by creating a test (e.g., TestPresolvedEnvPrefixSync) in a neutral test file
that does not import either package but reads the two source files (the file
that defines secrets.PresolvedEnvPrefix and internal/cmn/eval/envscope.go),
extracts the literal string values (via regexp or simple parsing), and asserts
they are identical so any change to one will break the test and force sync.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 03a12b98-b07c-4db4-8cf2-a02b0a11333d

📥 Commits

Reviewing files that changed from the base of the PR and between 59ee223 and 264a9d5.

📒 Files selected for processing (8)
  • internal/cmn/eval/envscope.go
  • internal/cmn/eval/envscope_test.go
  • internal/cmn/secrets/env.go
  • internal/cmn/secrets/env_test.go
  • internal/runtime/presolved_secrets_test.go
  • internal/runtime/subcmd.go
  • internal/runtime/subcmd_test.go
  • internal/service/worker/handler.go

@yottahmd yottahmd merged commit 09179c9 into main Mar 24, 2026
5 checks passed
@yottahmd yottahmd deleted the fix/1852-secret-from-env branch March 24, 2026 16:02
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 24, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.36%. Comparing base (59ee223) to head (264a9d5).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1853      +/-   ##
==========================================
+ Coverage   69.29%   69.36%   +0.06%     
==========================================
  Files         434      434              
  Lines       52364    52378      +14     
==========================================
+ Hits        36288    36331      +43     
+ Misses      12966    12946      -20     
+ Partials     3110     3101       -9
Files with missing lines Coverage Δ
internal/cmn/eval/envscope.go 96.50% <100.00%> (+0.04%) ⬆️
internal/cmn/secrets/env.go 90.00% <100.00%> (+1.53%) ⬆️
internal/runtime/subcmd.go 92.95% <100.00%> (+0.27%) ⬆️
internal/service/worker/handler.go 87.50% <100.00%> (+14.58%) ⬆️

... and 13 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 59ee223...264a9d5. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

This was referenced Mar 26, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Since 2.3.3 secrets doesn't work with "env" provider

1 participant

@yottahmd