feat(dev): persist build secrets via config to avoid repeating --build-secrets flags#2179
Open
collinmcnulty wants to merge 2 commits into
Open
feat(dev): persist build secrets via config to avoid repeating --build-secrets flags#2179collinmcnulty wants to merge 2 commits into
collinmcnulty wants to merge 2 commits into
Conversation
…d-secrets flags Users with private pip sources (e.g. netrc secrets for private GitHub repos) previously had to pass --build-secrets on every astro dev command. This adds a dev.build_secrets config key so the secret can be declared once per project or globally and picked up automatically by all astro dev commands. Priority order: --build-secrets flag > dev.build_secrets project config > dev.build_secrets global config > BUILD_SECRET_INPUT env var (preserved). Cloud deploy commands intentionally do not use this config key. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Coverage Report for CI Build 27775746430Coverage increased (+0.005%) to 45.096%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
Tests the three meaningful priority ordering behaviors: - config fallback is used when no flag is given - flag takes priority over config fallback - config fallback takes priority over BUILD_SECRET_INPUT env var Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR astronomer/astro-runtime#2974 added support for a
netrcDocker build secret to enable private pip installs. However, users must pass--build-secrets id=netrc,env=NETRC_CONTENTon everyastro devinvocation (start,restart,parse,pytest,build,upgrade-test).This PR adds a
dev.build_secretsconfig key so the secret can be declared once and picked up automatically:Fallback priority order:
--build-secretsflag (explicit, highest priority)dev.build_secretsin.astro/config.yaml(project config)dev.build_secretsin~/.astro/config.yaml(global config)BUILD_SECRET_INPUTenv var (existing undocumented fallback, preserved)Cloud deploy commands (
astro deploy,astro remote deploy) intentionally do not read this config key — secrets for cloud builds should remain explicit.Changes
config/types.go— addDevBuildSecrets cfgfield to thecfgsstructconfig/config.go— registerdev.build_secretsconfig key with empty defaultpkg/util/util.go— add variadicfallbacks ...stringtoGetbuildSecretString(backwards-compatible; existing callers without a fallback are unaffected)cmd/airflow.go— passconfig.CFG.DevBuildSecrets.GetString()as fallback at all 6astro devcall sitesTest plan
go test ./config/... ./pkg/util/... ./cmd/...passes (verified locally)astro config set dev.build_secrets "id=netrc,env=NETRC_CONTENT"persists to.astro/config.yamlastro dev startwithout--build-secretspicks up the config value--build-secretsflag overrides the config valueastro deploydoes not pick up the dev config value🤖 Generated with Claude Code