dagger.Secret used? #142

New Issue

Closed

opened 2026-05-22 08:15:12 +00:00 by guettli · 1 comment

guettli commented 2026-05-22 08:15:12 +00:00 (Migrated from codeberg.org)

Copy Link

Copy Source

Dagger requires developers to explicitly define sensitive data using a special data type called dagger.Secret (rather than a standard String).

--> check the code-base if this is the case.

Write result into comment of this issue.

Dagger requires developers to explicitly define sensitive data using a special data type called dagger.Secret (rather than a standard String). --> check the code-base if this is the case. Write result into comment of this issue.

guettlibot commented 2026-05-22 14:06:46 +00:00 (Migrated from codeberg.org)

Copy Link

Copy Source

Result of code review: dagger.Secret usage

All actual sensitive credentials in ci/main.go properly use dagger.Secret:

Parameter	Type	Used in
sshKey	*dagger.Secret	Deployer, GenerateBuildHistory, BuildWebsite, PublishWebsite, DeployLinux, DeployApk
keystoreBase64	*dagger.Secret	setupKeystore, BuildAndroidApk, DeployApk, SignAndroidBundle, PublishAndroid
keystorePassword	*dagger.Secret	same as above
playStoreConfig	*dagger.Secret	UploadToPlayStore, PublishAndroid
serviceAccountKey	*dagger.Secret	TestAndroidFirebase

The secrets are consumed via WithMountedSecret (for files, e.g. SSH key) and WithSecretVariable (for env vars, e.g. keystore, Play Store config) — both prevent the values from appearing in Dagger logs.

The only credentials NOT typed as dagger.Secret are the test passwords in WithStalwart (STALWART_PASS_B="secret", STALWART_PASS_C="secret"). These are hardcoded development passwords for the local Stalwart test server defined in the repo's stalwart-dev/ config — they are not production secrets and require no protection.

Conclusion: dagger.Secret is used correctly throughout the codebase. No changes needed.

## Result of code review: dagger.Secret usage All actual sensitive credentials in `ci/main.go` properly use `dagger.Secret`: | Parameter | Type | Used in | |---|---|---| | `sshKey` | `*dagger.Secret` | `Deployer`, `GenerateBuildHistory`, `BuildWebsite`, `PublishWebsite`, `DeployLinux`, `DeployApk` | | `keystoreBase64` | `*dagger.Secret` | `setupKeystore`, `BuildAndroidApk`, `DeployApk`, `SignAndroidBundle`, `PublishAndroid` | | `keystorePassword` | `*dagger.Secret` | same as above | | `playStoreConfig` | `*dagger.Secret` | `UploadToPlayStore`, `PublishAndroid` | | `serviceAccountKey` | `*dagger.Secret` | `TestAndroidFirebase` | The secrets are consumed via `WithMountedSecret` (for files, e.g. SSH key) and `WithSecretVariable` (for env vars, e.g. keystore, Play Store config) — both prevent the values from appearing in Dagger logs. **The only credentials NOT typed as `dagger.Secret`** are the test passwords in `WithStalwart` (`STALWART_PASS_B="secret"`, `STALWART_PASS_C="secret"`). These are hardcoded development passwords for the local Stalwart test server defined in the repo's `stalwart-dev/` config — they are not production secrets and require no protection. **Conclusion: `dagger.Secret` is used correctly throughout the codebase.** No changes needed.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

issue-563-agentloop-validation

dummy-pr-test

issue-560-fix-firebase-run-url

issue-539-stable-imap-uid

issue-533-shared-email-list

plan-issue-555

drop-nix

plan-issue-484

plan-issue-539

plan-issue-535

plan-issue-474

plan-issue-533

fix-dagger-engineless-precommit

issue-521-fix-deploy-yml-wait-time-api

issue-502-fix-email-id-collision-mailbox

issue-492-eliminate-duplicate-build-runner

issue-494-website-change-detection

issue-491-parallelize-check

issue-478-fix-stalwart-dual-stack-bind

issue-475-allowed-addresses-glob

issue-473-search-result-reorder

issue-453-update-agentloop-defaults

issue-466-structured-search

issue-505-exclude-chaos-monkey-from-regular-ci

issue-509-fix-search-result-sorting

fix-ink-sparkle-remaining-tests

issue-506-fix-search-emails-tests

issue-504-runner-wait-time

issue-488-search-notes

issue-472-changelog-issue-links

issue-501-folder-search-local-sqlite

issue-486-fix-stale-test-shader-mismatch

fix/prevent-settled-search-rerun-473

issue-467-fix-search-stale-results

issue-446-installed-versions-in-changelog

issue-462-fix-pr

issue-448-chaos-monkey-test

issue-436-notes-on-emails

issue-429-unify-mail-display

issue-422-move-to-folder-create-new

issue-414-ensure-not-run-as-root

issue-424-unify-email-list-views

issue-419-trusted-senders-page

issue-425-fix-prs

test-foo

issue-421-bug-report

issue-383-fix-ci

issue-394-fix-deploy-flutter-version

issue-391-fix-ci-double-trigger

issue-376-combined-inbox-v2

issue-376-combined-inbox

issue-384-fix-open-prs

sops-migrate

issue-339-safe-first-on-imap-fetch

issue-340-try-catch-measure-height

issue-342-pin-intl-version

issue-341-guard-threademails-last

issue-335-agentloop-code-test

issue-329-fix

issue-315-fix

issue-320-fix

issue-325-fix

issue-312-fix

issue-311-fix

issue-305-fix

issue-304-fix

issue-299-fix

issue-300-fix

issue-298-fix

issue-296-fix

issue-294-fix

issue-289-fix

issue-288-fix

issue-287-fix

issue-286-fix

issue-277-fix

issue-282-fix

issue-280-fix

issue-272-fix

issue-268-fix

issue-267-fix

issue-266-fix

issue-258-fix

issue-260-fix

issue-257-fix

issue-253-fix

issue-216-fix

issue-251-fix

issue-249-fix

issue-question-fixes

issue-235-fix

issue-236-fix-v2

issue-237-fix

issue-236-fix

issue-228-fix

issue-217-fix

issue-214-fix

issue-213-fix

issue-208-fix

issue-205-fix

issue-204-fix

issue-203-fix

issue-202-fix

issue-129-fix

issue-161-fix

issue-160-fix

issue-201-fix

issue-210-fix

issue-198-fix

issue-200-fix

issue-144-fix

issue-199-fix

fix/playstore-upload-use-requests

issue-193-fix

issue-186-fix

issue-185-fix

issue-192-fix

issue-183-fix

issue-175-fix

issue-172-fix

issue-171-fix

issue-167-fix

issue-136-fix

issue-162-fix

issue-179-fix

issue-155-fix

issue-154-fix

issue-152-fix

issue-151-fix

issue-141-fix

issue-150-fix

issue-164-fix

migrate-to-dagger

task/d1-ci-matrix

task/a4-typeconverter-json

task/u7-onboarding-walkthrough

task/d3-sync-doc

task/a5-layer-boundary-lint

task/t5-golden-tests

task/p5-date-cache

task/s4-link-handling

task/p3-html-parse-isolate

task/u8-mark-all-read

task/u3-recent-searches

task/a3-jmap-injectable-http-client

task/r5-tls-error-handling

fix/playstore-redirect-retry

task/t3-repository-contract-tests

task/p2-email-list-pagination

task/p1-fts5-search

fix/playstore-upload-timeout

task/a1-email-detail-notifier

fix/upgrade-workmanager-0.9

fix/android-core-library-desugaring

task/p4-db-indexes

task/r3-html-error-boundary

task/d2-check-coverage

task/a2-email-tile

task/t4-migration-tests

task/t2-widget-tests

task/t1-email-repo-coverage

task/u6-connection-status

task/u4-push-notifications

task/u2-draft-sync

task/u1-list-unsubscribe

task/s2-hostname-validation

task/r6-reliability-fuzz-tests

task/r4-sync-error-banner

task/r2-force-resync

task/r1-undo-history-persistence

No results found.

Labels

Clear labels

NeedSupervisor

Issue escalated to a human supervisor; agentloop will skip it until cleared.

State/InProgress

State/Later

State/Planned

automerge

Eligible for automatic merge by CI

ci-failure

Issue opened by agentloop to track a failing CI workflow; used for deduplication.

do-not-merge

Plan PR — review only, do not merge.

loop/code

Add to run the built-in "code" prompt; override at prompts/code.md.

loop/code-ci-pending

Prompt "code" finished; waiting for the PR's CI to pass before advancing.

loop/code-done

Prompt "code" finished successfully.

loop/code-in-process

Agent for the "code" prompt is currently running on this issue.

loop/merge

Managed by agentloop

loop/merge-done

Managed by agentloop

loop/merge-in-process

Managed by agentloop

loop/plan

Add to run the built-in "plan" prompt; override at prompts/plan.md.

loop/plan-done

Prompt "plan" finished successfully.

loop/plan-in-process

Agent for the "plan" prompt is currently running on this issue.

No labels

Milestone

No items

No Milestone

Projects

Clear projects

No projects

Assignees

Clear assignees

guettlibot guettli

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: guettli/sharedinbox#142