From 44b99f25ca2a8c6fd5f2194de5cdb9af62dc6f86 Mon Sep 17 00:00:00 2001 From: ZdenekSrotyr Date: Fri, 10 Apr 2026 14:55:31 +0200 Subject: [PATCH] =?UTF-8?q?fix:=20address=20Devin=20review=20round=205=20?= =?UTF-8?q?=E2=80=94=20empty=20secret=20file,=20CI=20.env?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - secrets.py: validate file content is non-empty before using it; regenerate if file exists but is empty/corrupted - release.yml: touch .env before docker compose in smoke test (env_file: .env in docker-compose.yml requires the file to exist) 663 tests pass. --- .github/workflows/release.yml | 2 ++ app/secrets.py | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3c3e436..6e2c6a2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -121,6 +121,8 @@ jobs: - name: Start Agnes from built image run: | + # Create empty .env (docker-compose.yml requires env_file: .env, gitignored) + touch .env # Use prod compose (GHCR images) + CI overlay (test secrets) export AGNES_TAG="${{ needs.build-and-push.outputs.image_tag }}" docker compose -f docker-compose.yml -f docker-compose.prod.yml -f docker-compose.ci.yml up -d app diff --git a/app/secrets.py b/app/secrets.py index 3dbcec9..41f837d 100644 --- a/app/secrets.py +++ b/app/secrets.py @@ -15,7 +15,10 @@ def _load_or_generate(env_var: str, file_name: str) -> str: data_dir = Path(os.environ.get("DATA_DIR", "./data")) secret_path = data_dir / "state" / file_name if secret_path.exists(): - return secret_path.read_text().strip() + val = secret_path.read_text().strip() + if val: + return val + logger.warning("Secret file %s is empty, regenerating", secret_path) secret_path.parent.mkdir(parents=True, exist_ok=True) val = secrets.token_hex(32) secret_path.write_text(val)