continue
continue copied to clipboard
continuedev
fix: added Process env secret key support
Description
Closes #5902
This PR imporves the secret resolution mechanism in the Continue extension to support loading secrets from OS-level environment variables (process.env) as a fallback.
Previously, when resolving ${{ secrets.VAR_NAME }} in config.yaml, the extension checked:
~/.continue/.env Workspace .env files User account secrets (via Continue’s API) This did not accommodate scenarios where secrets are managed at the OS environment level, which is common in CI/CD pipelines, Dockerized environments, or due to corporate security policies that might restrict API calls for secrets. It also forced unnecessary duplication for local development if variables were already in process.env.
With this change, the secret resolution now supports:
Local .env files (~/.continue/.env and workspace .env). User account secrets via the Continue API. OS environment variables (process.env). Key Changes Introduced SecretType.ProcessEnv: Added ProcessEnv to the SecretType enum in packages/config-yaml/src/interfaces/SecretResult.ts. Updated associated interfaces (ProcessEnvSecretLocation, SecretLocation) and the encodeSecretLocation/decodeSecretLocation functions to handle this new type. Modified LocalPlatformClient.ts (core/config/yaml/): Added a new private method findSecretInProcessEnv(fqsn: FQSN) to fetch secret values directly from process.env.
Checklist
- [x] I've read the contributing guide
- [] The relevant docs, if any, have been updated or created
- [] The relevant tests, if any, have been updated or created
Screenshots
https://github.com/user-attachments/assets/e359966e-bc20-4e79-afa5-8bce0f416d0d
Tests
This PR introduces a comprehensive test suite for the LocalPlatformClient located in core/config/yaml/LocalPlatformClient.test.ts.
The tests cover the following key scenarios:
Resolution from process.env: Verifies that secrets are correctly retrieved from process.env when they are not found in local .env files or via the Continue API. Ensures the secretLocation is appropriately marked as SecretType.ProcessEnv. Precedence Rules: Local .env over process.env: Confirms that if a secret exists in both a local .env file and process.env, the value from the .env file takes precedence. API over process.env: Ensures that secrets resolved via the Continue API are prioritized over those in process.env (assuming the secret is not in a local .env file). Not Found: Tests that if a secret is not present in any of the configured locations (local .env files, Continue API, or process.env), it is correctly reported with found: false and secretLocation.secretType as SecretType.NotFound.
Your cubic subscription is currently inactive. Please reactivate your subscription to receive AI reviews and use cubic.
![cubic-dev-ai[bot] avatar](https://avatars.githubusercontent.com/in/1082092?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploy Preview for continuedev canceled.
| Name | Link |
|---|---|
| Latest commit | 00b43f04a005bbad5fccfbd2e37fa014d24beeee |
| Latest deploy log | https://app.netlify.com/projects/continuedev/deploys/683eefa77e9a330008b5d671 |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
@sestinj I had to create this new PR due to some issue with local setup. The test is now using vitest instead of jest.
![recurseml[bot] avatar](https://avatars.githubusercontent.com/in/1054195?v=4 "Published by a pub.dev verified publisher"){kind=small}
Can someone please resolve the merge conflicts and merge this PR? We urgently need this fix in place. @0xshadow-dev
:tada: This PR is included in version 1.5.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
:tada: This PR is included in version 1.7.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket: