Skip to content

fix(ci): generate required secrets in DAST workflow#623

Merged
Aureliolo merged 1 commit intomainfrom
fix/dast-env-secrets
Mar 19, 2026
Merged

fix(ci): generate required secrets in DAST workflow#623
Aureliolo merged 1 commit intomainfrom
fix/dast-env-secrets

Conversation

@Aureliolo
Copy link
Copy Markdown
Owner

@Aureliolo Aureliolo commented Mar 19, 2026
edited by coderabbitai bot
Loading

Summary

  • DAST workflow copies .env.example as-is, but SYNTHORG_JWT_SECRET and SYNTHORG_SETTINGS_KEY are now mandatory at startup (from the encryption-key-and-log-flush PR)
  • Backend crashes on boot with ValueError: SYNTHORG_JWT_SECRET is not set
  • Generate both secrets inline with python3 before starting the container

Test plan

  • DAST workflow passes after merge (triggers on push to main)
  • Backend starts successfully with generated secrets

Review

Quick mode -- CI-only change, no agents needed.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated continuous integration workflow configuration to enhance automated testing environment setup procedures with improved credential handling during the build process.

@Aureliolo @claude
fix(ci): generate required secrets in DAST workflow env file
2f917e8 
The encryption-key-and-log-flush PR made SYNTHORG_JWT_SECRET and
SYNTHORG_SETTINGS_KEY mandatory at startup. The DAST workflow copies
.env.example as-is (keys commented out), so the backend crashes on boot.

Generate both secrets inline before starting the container.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist bot commented Mar 19, 2026

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 19, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 19, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: abbaf8b9-34eb-4009-a440-d0a41779d5b6

📥 Commits

Reviewing files that changed from the base of the PR and between 8c11a56 and 2f917e8.

📒 Files selected for processing (1)
  • .github/workflows/dast.yml

Walkthrough

The .github/workflows/dast.yml workflow file was modified to extend the Docker Compose environment setup step. In addition to copying docker/.env.example to docker/.env, the step now dynamically generates and appends two secret values: SYNTHORG_JWT_SECRET using Python's secrets.token_urlsafe(48) function, and SYNTHORG_SETTINGS_KEY using base64-encoded random 32-byte values via os.urandom(32) and base64.urlsafe_b64encode. The change adds 5 lines while removing 2, resulting in a net addition to the workflow configuration.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title accurately describes the main change: generating required secrets in the DAST workflow CI configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

@Aureliolo Aureliolo merged commit 6ae297f into main Mar 19, 2026
24 checks passed
@Aureliolo Aureliolo deleted the fix/dast-env-secrets branch March 19, 2026 21:25
@Aureliolo Aureliolo mentioned this pull request Mar 19, 2026
Merged
Aureliolo added a commit that referenced this pull request Mar 20, 2026
@Aureliolo @github-actions
chore(main): release 0.3.10 (#624)
60b655a 
🤖 I have created a release *beep* *boop*
---


##
[0.3.10](v0.3.9...v0.3.10)
(2026-03-20)


### Bug Fixes

* **ci:** generate required secrets in DAST workflow
([#623](#623))
([6ae297f](6ae297f))
* **cli:** doctor image check reads compose file and fix API docs URL
([#625](#625))
([5202e53](5202e53))
* **engine:** sanitize error messages in checkpoint reconciliation and
compaction summaries
([#632](#632))
([5394ed7](5394ed7))
* mitigate TOCTOU DNS rebinding gap in git clone SSRF prevention
([#633](#633))
([1846f6e](1846f6e))
* resolve post-startup log loss, add provider model discovery, and
improve setup wizard UX
([#634](#634))
([2df8d11](2df8d11))


### Maintenance

* bump https://github.com/astral-sh/ruff-pre-commit from v0.15.6 to
0.15.7 ([#628](#628))
([c641d2c](c641d2c))
* bump python from `584e89d` to `fb83750` in /docker/backend
([#627](#627))
([1a36eca](1a36eca))
* bump python from `584e89d` to `fb83750` in /docker/sandbox
([#629](#629))
([fd3e69a](fd3e69a))
* bump the minor-and-patch group across 2 directories with 3 updates
([#630](#630))
([67d14c4](67d14c4))
* bump the minor-and-patch group with 2 updates
([#631](#631))
([2e51b60](2e51b60))
* **ci:** add timeout-minutes, harden fuzz script, extend CVE audit
([#626](#626))
([25420e2](25420e2))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Aureliolo