feat: environment variable substitution in INI config#532
Conversation
Support ${VAR} and ${VAR:-default} syntax in INI config files.
Variables are resolved before INI parsing, both in BuildFromFile
and BuildFromString paths.
- ${VAR}: replaced if defined and non-empty, kept literal if undefined
- ${VAR:-default}: uses default when undefined or empty
- $VAR without braces is NOT substituted (cron/shell safe)
Closes #362.
Signed-off-by: Sebastian Mendel <[email protected]>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the flexibility and security of INI configuration by implementing environment variable substitution. Users can now leverage environment variables to inject dynamic values or sensitive data into their configurations, with support for default values. This change allows for more robust and adaptable deployments, ensuring that configuration can be managed externally without compromising existing syntax or readability. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
✅ Mutation Testing ResultsMutation Score: 100.00% (threshold: 60%)
What is mutation testing?Mutation testing measures test quality by introducing small changes (mutations) to the code and checking if tests detect them. A higher score means better test effectiveness.
|
There was a problem hiding this comment.
Pull request overview
Adds environment-variable substitution support to Ofelia’s INI configuration loading, enabling secrets/defaults to be referenced via ${VAR} and ${VAR:-default} prior to INI parsing.
Changes:
- Introduces
${VAR}/${VAR:-default}substitution via a newexpandEnvVars()helper. - Wires substitution into
BuildFromFileandBuildFromStringso configs are expanded before INI parsing. - Adds unit + integration test coverage and updates documentation + changelog.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
cli/envsubst.go |
Implements ${...} substitution logic using regex + os.LookupEnv. |
cli/config.go |
Applies env substitution when building config from file/string (pre-INI parse). |
cli/envsubst_test.go |
Unit tests for substitution edge cases and safety behavior. |
cli/envsubst_integration_test.go |
Integration tests validating end-to-end config parsing with substitution. |
docs/CONFIGURATION.md |
Documents the new substitution feature and recommended usage. |
CHANGELOG.md |
Notes the feature addition under Unreleased. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a well-implemented feature for environment variable substitution in INI configuration files, which is great for managing secrets. The changes are accompanied by a comprehensive set of unit and integration tests, and the documentation is clear. My feedback includes a couple of suggestions to document a minor limitation in the substitution logic to improve clarity for users and maintainers.
- Add #nosec G304 for os.ReadFile (file path from user config flag)
- Fix gofumpt struct field alignment in test
- Use unique env var names in integration tests to prevent flakiness
- Clarify docs: ${VAR} in commands is substituted, use $VAR for shell;
defaults cannot contain closing braces
Signed-off-by: Sebastian Mendel <[email protected]>
The aquasecurity/[email protected] tag was removed upstream, breaking the trivy scan job. Bump trivy-action from 0.28.0 to v0.35.0 which uses the current setup-trivy version. Signed-off-by: Sebastian Mendel <[email protected]>
Signed-off-by: Sebastian Mendel <[email protected]>
|
🚀 Released in v0.22.0 Thank you for your contribution! 🙏 This is now available in the latest release. Please test and verify everything works as expected in your environment. If you encounter any issues, please open a new issue. |
Summary
Closes #362 — Support
${VAR}and${VAR:-default}environment variable substitution in INI config files.Use case
Users want to keep secrets (SMTP passwords, API keys) out of version-controlled config files, referencing them via environment variables instead.
Behavior
${VAR}${VAR:-default}$VAR(no braces)Changes
cli/envsubst.go—expandEnvVars()using regex,os.LookupEnvcli/config.go— wired intoBuildFromFile(per-file, before INI parse) andBuildFromStringcli/envsubst_test.go— 24 unit tests covering all edge casescli/envsubst_integration_test.go— 5 integration tests (BuildFromString + BuildFromFile)docs/CONFIGURATION.md— new "Environment Variable Substitution" section with Docker Compose tip.github/workflows/ci.yml— bump trivy-action 0.28.0 → v0.35.0 (upstream[email protected]yanked)Test plan