Skip to content

Carry secret-backed env vars from old CI into pyproject (lossless migration)#49

Merged
thorwhalen merged 1 commit into
masterfrom
feature/migrate-carry-ci-env
Jun 2, 2026
Merged

Carry secret-backed env vars from old CI into pyproject (lossless migration)#49
thorwhalen merged 1 commit into
masterfrom
feature/migrate-carry-ci-env

Conversation

@thorwhalen

@thorwhalen thorwhalen commented Jun 2, 2026

Copy link
Copy Markdown
Member

Answers a gap you flagged before the fleet migration: migration should read the current CI and carry its secret wiring into pyproject.toml, rather than relying on the agent (skill) to do it by hand.

What it does

ci-to-uv, ci-to-stub, and the batch fleet-stub now extract ${{ secrets.X }} references from the existing workflow's env: blocks and inject any not-yet-declared ones into [tool.wads.ci.env].extra_envvars — recording a secret_aliases entry when the env-var name differs from the secret name (e.g. HF_TOKEN ← HF_WRITE_TOKEN). Migration is now lossless: secrets wired only in the old YAML are preserved instead of silently dropped.

This is in the migration code, not just the skill — so it's deterministic and works identically whether driven by you, an agent, or the batch loop over your 10–20 repos.

Precision (avoids re-introducing over-assignment)

Only env: blocks are scanned — not the reusable-workflow secrets: pass-through (transport ≠ usage) and not with: action inputs. Infra secrets (PYPI_PASSWORD, GITHUB_TOKEN, TEST_PYPI_PASSWORD) are excluded. Carried vars go to extra_envvars (available-if-set, never fails a build); you promote to required/test if a test truly depends on one. The command prints exactly what it carried.

Batch behavior

fleet-stub stages pyproject.toml alongside ci.yml and notes the carry in the per-repo commit message; a repo is noop only when neither the workflow nor the env changed.

End-to-end check

For an inline-uv ci.yml with OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} and HF_TOKEN: ${{ secrets.HF_WRITE_TOKEN }} (not yet in pyproject), ci-to-stub produced:

extra_envvars = ["OPENAI_API_KEY", "HF_TOKEN"]
[tool.wads.ci.env.secret_aliases]
HF_TOKEN = "HF_WRITE_TOKEN"

and a stub passing PYPI_PASSWORD, OPENAI_API_KEY, HF_WRITE_TOKEN.

Skill (wads-migrate) updated to document the auto-carry. Tests added. Full suite: 292 passed.

@thorwhalen
feat(migrate): carry secret-backed env vars from old CI into pyprojec…
3108696 
…t (lossless)

Migration now extracts `${{ secrets.X }}` references from the existing
workflow's env: blocks and injects any not-yet-declared ones into
[tool.wads.ci.env].extra_envvars (recording secret_aliases when the env-var
name differs from the secret name). So ci-to-uv / ci-to-stub / fleet-stub no
longer silently drop secrets that were wired only in the old workflow YAML.

- migration.py: extract_ci_env_vars() + carry_ci_env_into_pyproject(); wired
  into the ci-to-stub and ci-to-uv CLI handlers (prints what it carried).
- fleet_migrate.py: _migrate_one carries env per repo and stages pyproject.toml
  alongside ci.yml in the commit (so the batch push includes it); noop only when
  neither the workflow nor the env changed.
- Only env: blocks are scanned (not reusable-workflow secrets: pass-through, and
  not with: action inputs), so PYPI_PASSWORD/GITHUB_TOKEN and transport-only
  names are never mis-carried — no over-assignment.
- wads-migrate skill: document the automatic, lossless carry.
- Tests: test_ci_env_extraction.py (extraction precision, alias, idempotence).

Refs #45.
@thorwhalen thorwhalen merged commit b3dd07d into master Jun 2, 2026
12 checks passed
@thorwhalen thorwhalen deleted the feature/migrate-carry-ci-env branch June 2, 2026 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thorwhalen