fix(ci): reject placeholder secret values in validation step#3097
Merged
crivetimihai merged 1 commit intomainfrom Feb 21, 2026
Merged
fix(ci): reject placeholder secret values in validation step#3097crivetimihai merged 1 commit intomainfrom
crivetimihai merged 1 commit intomainfrom
Conversation
The validation step only checked for empty secrets, allowing placeholder values like '-' to pass. This caused the workflow to build and push the Docker image (~3 min) before failing at the verification step. Now rejects '-', 'changeme', and 'CHANGE_ME' early with a helpful error pointing to GitHub Settings. Also sets all 5 CF_* secrets in the production environment to strong random values (they were previously set to '-'). Closes #3096 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
vishu-bh
pushed a commit
that referenced
this pull request
Feb 24, 2026
The validation step only checked for empty secrets, allowing placeholder values like '-' to pass. This caused the workflow to build and push the Docker image (~3 min) before failing at the verification step. Now rejects '-', 'changeme', and 'CHANGE_ME' early with a helpful error pointing to GitHub Settings. Also sets all 5 CF_* secrets in the production environment to strong random values (they were previously set to '-'). Closes #3096 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
-,changeme,CHANGE_ME) early, before building/pushing the Docker image (~3 min savings)-placeholders throughCF_*secrets in the production environment to strong random values (they were set to-)Root cause of #3096 failure
The GitHub Secrets in the
productionenvironment were set to-(single dash) as placeholders. The secret sync correctly wrote-to Code Engine, and the verification correctly caught it. Proof: every-in the CI log was masked as***(e.g.,us***south,***name), which only happens when a secret value is literally-.Closes #3096