Skip to content

fix: add warning messages when required secrets are not set #2248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: add warning messages when required secrets are not set #2248

wants to merge 1 commit into from

Conversation

@Morsicus
Copy link

@Morsicus Morsicus commented Oct 29, 2025
edited
Loading

Context

Currently, when required secrets (configured with secretspec) are missing, running devenv shell fails to build the environment.

It leads to a strange developer experience because adding a secret is not easy. Indeed the secretspec check command is accessible in the environment but the environment is not built.

It also give clunky developer experience during onboarding (ie. When the secrets are not yet been set)

Proposed solution

I understand that we probably don't want to have a shell that has been built without required secrets. Because the shell won't completely be working.

However it's a Chicken-Egg problem that need to be solved to ease the process of adding new secrets and onboard new developers.

My current implementation add a "Status concept" in the devenv structure. This status is updated when we assemble the environment. If we find "missing secrets", rather than bailing out, we change the status to MissingSecrets and the rest of the process of "assembling the environment" continue.

When we exec inside the shell, we can actually read the status and print a warning message to the user with some hints to fix the problem.

Before

image

After

image

Testing

To test this change:

  • Configure a project with secretspec.toml requiring secrets:
[project]
name = "Test Project"
revision = "1.0"

[profiles.default]
SECRET_1 = { description = "A secret", required = true }
SECRET_2 = { description = "A secret", required = true }
SECRET_3 = { description = "A secret", required = true }
SECRET_4 = { description = "A secret", required = true }
SECRET_5 = { description = "A secret", required = true }
SECRET_6 = { description = "A secret", required = true }
SECRET_7 = { description = "A secret", required = true }

[profiles.development]
  • Don't set the required secrets
  • Run devenv shell
  • Observe: Shell opens (instead of failing) with red warning
  • Run secretspec check inside the shell and configure secrets
  • Exit and re-run devenv shell
  • Observe: Shell opens without warning

Future works (if we want to)

  • We could reuse the status for different needs
  • We could print the status in the TUI
  • We could add a command devenv status or devenv doctor devenv healthcheck

Resources

Let me know what I could change or if you have a better idea - I might have missed some side effects (I'm just ramping up on the code base :D)

@Morsicus
Copy link
Author

Morsicus commented Oct 29, 2025

❓ I'm thinking about an alternative approach: Using the "ad-hoc environment" with secretspec installed in order to set the secrets (and workaround the current behavior that bail out).

I don't know if it's a good idea... :x Just sharing here if anyone has any thought :)

@domenkozar
Copy link
Member

domenkozar commented Oct 31, 2025

Maybe devenv should be running check so it asks for passwords directly?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Morsicus @domenkozar