feat: secret support — hm.secrets["…"], local .env resolution, hm cloud secret CLI#152
Open
markovejnovic wants to merge 7 commits into
Open
feat: secret support — hm.secrets["…"], local .env resolution, hm cloud secret CLI#152markovejnovic wants to merge 7 commits into
markovejnovic wants to merge 7 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the CLI/DSL/IR side of GHA-style secrets (CLI-41 / #112).
Secrets are referenced in pipelines via
hm.secrets["NAME"]and resolved at run time — never embedded in the IR. The DSLs split each step's env into a literalenvmap and asecretsmap (env-var-name → secret-name) that rides through the v0 IR JSON; the backend (separate simci PR) and localhm runboth resolve those references to values, with the backend additionally driving log masking.What's here (7 commits)
hm-pipeline-ir):secretsmap onCommandStep(per-step) andTransition(merged node), serde round-tripped, snapshots updated.hm.secrets["NAME"]returns aSecretRef; env values accept refs; lowering splits literals vs refs intoenv/secrets. Name-validated (^[A-Za-z_][A-Za-z0-9_]*$).secrets["NAME"](Symbol-brandedSecretRef, symbol-access-safe Proxy); same lowering split.hm inittemplates: commentedhm.secretsusage in the Python + TS starters.hm-exec):SecretResolverreads a project.envoverlaid by the process env (process wins) and resolves each step's refs into the container env; fails fast with a precise, actionable error when a referenced secret is missing. Tracing span skips the env map so resolved values never reach local logs.hm cloud secret set | list | rm: org-scoped by default,--pipeline <slug>for pipeline scope; value via arg,--from-file, or-(stdin); list shows names only (values are write-only).Contract
secretsmap direction = env-var-name → secret-name, on both step and merged node, mirroringenv. Merge semantics: pipeline secrets under per-step secrets (step wins). Matches the Elixir IR + DSL emit byte-for-byte (verified via regenerated e2e fixtures, additive only).Test plan
cargo test(workspace) +cargo clippy --all-targets -- -D warningsharmont-py:ruff check+pytest(newtest_secrets.py; e2e fixtures regenerated, additive)harmont-ts:vitest+tsc --noEmit(newsecret.test.ts)hm-execresolver + fail-fast unit tests;hm-plugin-cloudpath/value-source unit tests +cmd_cloud_gatehm inittemplate round-trip render testsPairs with the simci backend PR (encrypted org/pipeline storage, resolve-at-materialize, REST CRUD, agent log masking, dashboard UI). Ref #112.