4nk/ia_dev
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(deploy): disable nested secrets symlinks (real dirs only)

Browse Source 
ia_dev_deploy_ensure_nested_secrets_symlinks is a no-op; nested .secrets/<site>/<env> must be material directories.
This commit is contained in:
Nicolas Cantu 2026-04-16 12:56:15 +02:00
parent bd604d28b8
commit 7dd97e5df7
1 changed files with 5 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
deploy/lib/deploy-conf-handling.sh
View File

@ -29,37 +29,12 @@ ia_dev_deploy_secrets_export_from_conf() {
} }
# ia_dev_deploy_ensure_nested_secrets_symlinks <secrets_parent> <env> # ia_dev_deploy_ensure_nested_secrets_symlinks <secrets_parent> <env>
# LeCoffre connect-db-paths expects `.secrets/<site>/<env>/` under secrets_parent. ia_dev conf often has a flat `<env>/` tree only. # Intentionally a no-op: nested `.secrets/<site>/<env>/` must be **real directories** (no symlinks —
# For each site in lecoffreio, enso, genealogie: if `<secrets_parent>/<site>/<env>` is missing and `<secrets_parent>/<env>` is a directory, # low maintainability, breaks tooling expectations). Maintain `lecoffreio|enso|genealogie/<env>/`
# create `<site>/<env>` as a symlink to `../<env>` (same convention as a manual `ln -sfn ../pprod lecoffreio/pprod`). # as normal folders; use `deploy/scripts_v2/materialize-nested-secrets-mandatory.mjs` on the LeCoffre
# Skips a site when a real (non-symlink) directory already exists at the nested path. # clone or copy from a canonical tree.
ia_dev_deploy_ensure_nested_secrets_symlinks() { ia_dev_deploy_ensure_nested_secrets_symlinks() {
local secrets_parent="${1:?}"
local env_name="${2:?}"
if [[ ! -d "$secrets_parent" ]]; then
return 0 return 0
fi
if [[ ! "$env_name" =~ ^(test|pprod|prod)$ ]]; then
return 0
fi
local flat="${secrets_parent}/${env_name}"
if [[ ! -d "$flat" ]]; then
return 0
fi
local site nested
for site in lecoffreio enso genealogie; do
nested="${secrets_parent}/${site}/${env_name}"
if [[ -d "$nested" && ! -L "$nested" ]]; then
continue
fi
if [[ -e "$nested" && ! -L "$nested" ]]; then
echo "[ia_dev][deploy][WARN] ${nested} exists and is not a symlink or directory; skip" >&2
continue
fi
mkdir -p "${secrets_parent}/${site}"
ln -sfn "../${env_name}" "$nested"
echo "[ia_dev][deploy] Nested secrets path: ${nested} -> ../${env_name}" >&2
done
} }
# ia_dev_deploy_export_runtime_context <repository_root> <env> — required handoff to project orchestrator (blocking checks below) # ia_dev_deploy_export_runtime_context <repository_root> <env> — required handoff to project orchestrator (blocking checks below)