xworkspace-console

History

Haitao Pan c2cd3035a4 ci(deploy-iac): fail fast on missing required Vault secrets Add a 'Validate required secrets' run-step after each job's Vault OIDC load step. It checks REQUIRED steps.vault.outputs.* are non-empty via env: mapping (never echoes secret values), and on any empty key prints a ::error:: naming the key + its Vault path then exit 1. The deploy job requires at least one of ANSIBLE_SSH_KEY_B64 / ANSIBLE_SSH_KEY. Optional keys (INFRA_REPO_TOKEN, TF_STATE_*) are not validated. Vault path strings in error messages reference the env.VAULT_KV[_OPENCLAW] vars rather than hardcoded literals. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-24 20:46:30 +08:00
..
workflows	ci(deploy-iac): fail fast on missing required Vault secrets	2026-06-24 20:46:30 +08:00

Haitao Pan c2cd3035a4 ci(deploy-iac): fail fast on missing required Vault secrets

Add a 'Validate required secrets' run-step after each job's Vault OIDC
load step. It checks REQUIRED steps.vault.outputs.* are non-empty via
env: mapping (never echoes secret values), and on any empty key prints a
::error:: naming the key + its Vault path then exit 1. The deploy job
requires at least one of ANSIBLE_SSH_KEY_B64 / ANSIBLE_SSH_KEY. Optional
keys (INFRA_REPO_TOKEN, TF_STATE_*) are not validated. Vault path strings
in error messages reference the env.VAULT_KV[_OPENCLAW] vars rather than
hardcoded literals.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-24 20:46:30 +08:00

workflows

ci(deploy-iac): fail fast on missing required Vault secrets

2026-06-24 20:46:30 +08:00