Skip to content

feat: support isSecret in syncEnvVars#4203

Draft
isshaddad wants to merge 9 commits into
mainfrom
feat/sync-env-vars-is-secret-tri-11099
Draft

feat: support isSecret in syncEnvVars#4203
isshaddad wants to merge 9 commits into
mainfrom
feat/sync-env-vars-is-secret-tri-11099

Conversation

@isshaddad

@isshaddad isshaddad commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

What

Adds per-variable secret support to the syncEnvVars build extension. Return { name, value, isSecret: true } and the variable is stored as a secret (redacted in the dashboard, value non-revealable), just like a manually created secret env var. Secret and non-secret variables can be mixed in one callback.

syncEnvVars(async () => [
  { name: "PUBLIC_API_URL", value: "https://api.example.com" },
  { name: "DATABASE_URL", value: "postgres://...", isSecret: true },
]);

How

Env vars flow through the build pipeline as a flat name→value map, and the import API's isSecret is per-call. So secret vars are carried through the layer + manifest in parallel secretEnv / secretParentEnv maps, and at deploy time they go up in a second importEnvVars call with isSecret: true (the plain vars in the first call). The record form ({ KEY: "value" }) is unchanged and stays non-secret.

Commits

  • feat(core): carry secret env vars through the build layer + manifest schema
  • feat(build): partition isSecret vars in syncEnvVars
  • feat(cli): merge secret layers and import them with isSecret: true at deploy
  • test(build): cover the partitioning + document isSecret

Testing

  • vitest covers the partitioning (secret/non-secret × child/parent) and that the record form stays non-secret.
  • Verified against a local webapp that the deploy's import contract stores the secret var redacted (isSecret: true) and the plain var visible.

Closes TRI-11099

@changeset-bot

changeset-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 0633aae

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 28 packages
Name Type
@trigger.dev/build Minor
@trigger.dev/core Minor
trigger.dev Minor
@trigger.dev/python Minor
@internal/dashboard-agent Patch
@trigger.dev/plugins Minor
@trigger.dev/redis-worker Minor
@trigger.dev/schema-to-json Minor
@trigger.dev/sdk Minor
@internal/cache Patch
@internal/clickhouse Patch
@internal/llm-model-catalog Patch
@trigger.dev/rbac Minor
@internal/redis Patch
@internal/replication Patch
@internal/run-engine Patch
@internal/run-store Patch
@internal/schedule-engine Patch
@trigger.dev/sso Minor
@internal/testcontainers Patch
@internal/tracing Patch
@internal/tsql Patch
@internal/zod-worker Patch
@internal/sdk-compat-tests Patch
@trigger.dev/react-hooks Minor
@trigger.dev/rsc Minor
@trigger.dev/database Minor
@trigger.dev/otlp-importer Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3d46e939-f9b0-4f8c-9852-f36ac6d81375

📥 Commits

Reviewing files that changed from the base of the PR and between 4dec9f9 and 0633aae.

📒 Files selected for processing (1)
  • packages/cli-v3/src/commands/workers/build.ts
📜 Recent review details
⏰ Context from checks skipped due to timeout. (41)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (12, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (8, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (4, 12)
  • GitHub Check: sdk-compat / Node.js 20.20 (warp-ubuntu-latest-x64-4x)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (9, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (11, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (1, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (7, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (3, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (6, 12)
  • GitHub Check: sdk-compat / Node.js 22.23 (warp-ubuntu-latest-x64-4x)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (10, 12)
  • GitHub Check: sdk-compat / Node.js 24.18 (warp-ubuntu-latest-x64-4x)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 10)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (5, 12)
  • GitHub Check: e2e / 🧪 CLI v3 tests (warp-windows-latest-x64-4x - pnpm)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 10)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (2, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 10)
  • GitHub Check: packages / 🧪 Unit Tests: Packages (2, 3)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (9, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 10)
  • GitHub Check: sdk-compat / Deno Runtime
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 10)
  • GitHub Check: sdk-compat / Node.js 26.4 (warp-ubuntu-latest-x64-4x)
  • GitHub Check: packages / 🧪 Unit Tests: Packages (3, 3)
  • GitHub Check: packages / 🧪 Unit Tests: Packages (1, 3)
  • GitHub Check: sdk-compat / Bun Runtime
  • GitHub Check: e2e / 🧪 CLI v3 tests (warp-ubuntu-latest-x64-4x - npm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (warp-windows-latest-x64-4x - npm)
  • GitHub Check: sdk-compat / Cloudflare Workers
  • GitHub Check: e2e / 🧪 CLI v3 tests (warp-ubuntu-latest-x64-4x - pnpm)
  • GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
  • GitHub Check: typecheck / typecheck
  • GitHub Check: code-quality / code-quality
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: Build and publish previews
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx}: Use types over interfaces for TypeScript
Avoid using enums; prefer string unions or const objects instead

Files:

  • packages/cli-v3/src/commands/workers/build.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use function declarations instead of default exports

**/*.{ts,tsx,js,jsx}: Prefer static imports over dynamic import(); only use dynamic imports when resolving circular dependencies, enabling real code splitting, or conditionally loading a module at runtime.
Always import from @trigger.dev/sdk; never use @trigger.dev/sdk/v3 or the deprecated client.defineJob.

Files:

  • packages/cli-v3/src/commands/workers/build.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/otel-metrics.mdc)

**/*.ts: When creating or editing OTEL metrics (counters, histograms, gauges), ensure metric attributes have low cardinality by using only enums, booleans, bounded error codes, or bounded shard IDs
Do not use high-cardinality attributes in OTEL metrics such as UUIDs/IDs (envId, userId, runId, projectId, organizationId), unbounded integers (itemCount, batchSize, retryCount), timestamps (createdAt, startTime), or free-form strings (errorMessage, taskName, queueName)
When exporting OTEL metrics via OTLP to Prometheus, be aware that the exporter automatically adds unit suffixes to metric names (e.g., 'my_duration_ms' becomes 'my_duration_ms_milliseconds', 'my_counter' becomes 'my_counter_total'). Account for these transformations when writing Grafana dashboards or Prometheus queries

Files:

  • packages/cli-v3/src/commands/workers/build.ts
packages/cli-v3/src/commands/**/*

📄 CodeRabbit inference engine (packages/cli-v3/CLAUDE.md)

CLI command definitions should be located in src/commands/

Files:

  • packages/cli-v3/src/commands/workers/build.ts
🧠 Learnings (9)
📚 Learning: 2026-03-22T13:26:12.060Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3244
File: apps/webapp/app/components/code/TextEditor.tsx:81-86
Timestamp: 2026-03-22T13:26:12.060Z
Learning: In the triggerdotdev/trigger.dev codebase, do not flag `navigator.clipboard.writeText(...)` calls for `missing-await`/`unhandled-promise` issues. These clipboard writes are intentionally invoked without `await` and without `catch` handlers across the project; keep that behavior consistent when reviewing TypeScript/TSX files (e.g., usages like in `apps/webapp/app/components/code/TextEditor.tsx`).

Applied to files:

  • packages/cli-v3/src/commands/workers/build.ts
📚 Learning: 2026-03-22T19:24:14.403Z
Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3187
File: apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts:200-204
Timestamp: 2026-03-22T19:24:14.403Z
Learning: In the triggerdotdev/trigger.dev codebase, webhook URLs are not expected to contain embedded credentials/secrets (e.g., fields like `ProjectAlertWebhookProperties` should only hold credential-free webhook endpoints). During code review, if you see logging or inclusion of raw webhook URLs in error messages, do not automatically treat it as a credential-leak/secrets-in-logs issue by default—first verify the URL does not contain embedded credentials (for example, no username/password in the URL, no obvious secret/token query params or fragments). If the URL is credential-free per this project’s conventions, allow the logging.

Applied to files:

  • packages/cli-v3/src/commands/workers/build.ts
📚 Learning: 2026-05-18T08:21:27.694Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3632
File: apps/webapp/sentry.server.ts:4-21
Timestamp: 2026-05-18T08:21:27.694Z
Learning: When handling Prisma error P1001 ("Can't reach database server") in TypeScript, don’t assume a single error shape. Prisma can surface P1001 via two different error classes/fields: `PrismaClientKnownRequestError` exposes it as `err.code === "P1001"` (common during mid-query connection drops), while `PrismaClientInitializationError` exposes it as `err.errorCode === "P1001"` (common on client startup failure). Therefore, predicates should use `err.code === "P1001" || err.errorCode === "P1001"`. Do not flag `err.code === "P1001"` as “unreachable/never matches,” as it is expected in production.

Applied to files:

  • packages/cli-v3/src/commands/workers/build.ts
📚 Learning: 2026-05-18T08:21:27.694Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3632
File: apps/webapp/sentry.server.ts:4-21
Timestamp: 2026-05-18T08:21:27.694Z
Learning: When handling Prisma errors for P1001 ("Can't reach database server"), do not assume it only appears under a single property name. Prisma may surface P1001 via either `PrismaClientKnownRequestError` (`err.code === "P1001"`, e.g., mid-query connection drops) or `PrismaClientInitializationError` (`err.errorCode === "P1001"`, e.g., client startup connection failure). To reliably detect the condition, check `err.code === "P1001" || err.errorCode === "P1001"`, and avoid review rules that would incorrectly flag `err.code === "P1001"` as unreachable/never-matching.

Applied to files:

  • packages/cli-v3/src/commands/workers/build.ts
📚 Learning: 2026-06-13T19:53:13.759Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3937
File: packages/trigger-sdk/skills/realtime-and-frontend/SKILL.md:258-260
Timestamp: 2026-06-13T19:53:13.759Z
Learning: When reviewing code that uses `trigger.dev/react-hooks`’s `useRealtimeRun`, preserve the call signature where the first argument is the full realtime handle object (not `handle.id`). This is intentional to maintain type-safety and is consistent with the official docs; do not suggest changing the first argument from the handle object to `handle.id`.

Applied to files:

  • packages/cli-v3/src/commands/workers/build.ts
📚 Learning: 2026-06-17T17:13:49.929Z
Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3948
File: apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.bulk-actions.$bulkActionParam/route.tsx:48-62
Timestamp: 2026-06-17T17:13:49.929Z
Learning: In triggerdotdev/trigger.dev, within `dashboardLoader`/`dashboardAction` (or similar context resolver code) whenever you resolve an organization ID from an organization slug for RBAC/enterprise authorization scope, always read from the primary Prisma client (`prisma`), not `$replica`. Using `$replica` can hit replica-lag and cause the RBAC lookup/authorization to run without the correct org scope (bypassing intended role enforcement). Implement the slug→org lookup with `prisma.organization.findFirst(...)` (or equivalent primary-client query) and add an inline comment documenting why the primary client is required (replica lag could lead to unscoped RBAC checks).

Applied to files:

  • packages/cli-v3/src/commands/workers/build.ts
📚 Learning: 2026-06-23T13:04:21.413Z
Learnt from: carderne
Repo: triggerdotdev/trigger.dev PR: 4023
File: apps/webapp/app/services/upsertBranch.server.ts:14-18
Timestamp: 2026-06-23T13:04:21.413Z
Learning: In TypeScript, it’s valid to `import { type X }` and then use `typeof X` in a type-only position, e.g. `type Alias = z.infer<typeof X>`. The `type` modifier suppresses the runtime import, but the type checker still has the full exported type so `z.infer<typeof X>` can resolve correctly. In code reviews, don’t flag this as a TypeScript compile error as long as `typeof X` is used in a type context (e.g., with `z.infer`, `type` aliases, generics), not as a runtime value.

Applied to files:

  • packages/cli-v3/src/commands/workers/build.ts
📚 Learning: 2026-06-04T18:16:35.386Z
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 3836
File: apps/supervisor/src/backpressure/backpressureMonitor.ts:3-5
Timestamp: 2026-06-04T18:16:35.386Z
Learning: When reviewing TypeScript in this repo, apply the rule “prefer type aliases over interfaces” only to data/object shapes and union/intersection type modeling. If an interface is being used as a behavioral contract for collaborators to implement (e.g., method-shape interfaces that define required behavior, such as `BackpressureLogger` / `BackpressureSignalSource` in `apps/supervisor/src/backpressure/backpressureMonitor.ts`), keep it as an `interface` and do not flag it as a type-alias-vs-interface violation.

Applied to files:

  • packages/cli-v3/src/commands/workers/build.ts
📚 Learning: 2026-06-09T17:58:04.699Z
Learnt from: 0ski
Repo: triggerdotdev/trigger.dev PR: 3879
File: apps/webapp/app/models/vercelIntegration.server.ts:619-630
Timestamp: 2026-06-09T17:58:04.699Z
Learning: In this codebase, outbound raw `fetch` calls should typically rely on Node/undici’s default request timeout (about ~300s) rather than adding a per-call `AbortController` + `setTimeout` wrapper inside individual functions (e.g. in files like `apps/webapp/app/models/vercelIntegration.server.ts`). During code review, do not flag the absence of a per-call timeout on a single `fetch` as an issue; if per-call timeouts are needed, they should be implemented via a codebase-wide convention (e.g., a shared fetch wrapper or documented pattern) rather than ad-hoc per-function changes.

Applied to files:

  • packages/cli-v3/src/commands/workers/build.ts
🔇 Additional comments (2)
packages/cli-v3/src/commands/workers/build.ts (2)

262-287: LGTM!


475-492: 🩺 Stability & Availability

Ensure override: true only upserts matching keys
If importEnvVars treats override as a full-set replacement, the secret import can wipe the non-secret vars imported in the first call.


Walkthrough

This PR adds support for marking environment variables synced via syncEnvVars as secrets. syncEnvVars accepts isSecret on array-form entries and emits secret-specific build layer fields. The build manifest and CLI deploy path now carry secretEnv and secretParentEnv, and deployment imports secret and non-secret variables separately. Tests, configuration, documentation, and a changeset were updated.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change: adding isSecret support to syncEnvVars.
Description check ✅ Passed The description covers the change, implementation, commits, testing, and issue closure, though it doesn't follow the template headings exactly.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/sync-env-vars-is-secret-tri-11099

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

coderabbitai[bot]

This comment was marked as resolved.

@pkg-pr-new

pkg-pr-new Bot commented Jul 9, 2026

Copy link
Copy Markdown

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@0633aae

trigger.dev

npm i https://pkg.pr.new/trigger.dev@0633aae

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@0633aae

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@0633aae

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@0633aae

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@0633aae

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@0633aae

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@0633aae

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@0633aae

commit: 0633aae

@isshaddad isshaddad marked this pull request as ready for review July 9, 2026 14:33
@isshaddad isshaddad marked this pull request as draft July 9, 2026 14:33

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 2 potential issues.

🐛 1 issue in files not directly in the diff

🐛 Secret environment variables are silently dropped during worker/unmanaged builds (packages/cli-v3/src/commands/workers/build.ts:262-279)

Secret env vars are never forwarded to the server during worker builds (syncEnvVarsWithServer at packages/cli-v3/src/commands/workers/build.ts:449-463) because this code path was not updated, so any variable marked isSecret: true is silently lost.

Impact: Users deploying via the unmanaged/worker build path will have their secret environment variables silently ignored, leading to missing secrets at runtime.

Incomplete transformation: deploy.ts was updated but workers/build.ts was not

The PR updated packages/cli-v3/src/commands/deploy.ts:766-814 to split secret and non-secret env vars into separate API calls and pass secretEnvVars/secretParentEnvVars to syncEnvVarsWithServer. However, packages/cli-v3/src/commands/workers/build.ts has its own parallel copy of both the sync detection logic and the syncEnvVarsWithServer function, and neither was updated.

Three specific issues:

  1. The sync detection condition at packages/cli-v3/src/commands/workers/build.ts:262-265 only checks buildManifest.deploy.sync.env — if all vars are secret (no non-secret vars exist), the entire sync block is skipped.

  2. The call at packages/cli-v3/src/commands/workers/build.ts:273-278 only passes env and parentEnv, not secretEnv or secretParentEnv.

  3. The function at packages/cli-v3/src/commands/workers/build.ts:449-463 doesn't accept or handle secret env var parameters at all, unlike its updated counterpart in deploy.ts.

Open in Devin Review

Comment on lines +198 to +204
if (layer.deploy.override || $manifest.deploy.env[key] === undefined) {
const existingValue = $manifest.deploy.env[key];

if (existingValue !== value) {
$manifest.deploy.sync.secretEnv[key] = value;
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔍 Secret env dedup logic checks non-secret env map, which may skip valid secret overrides

In applyLayerToManifest at packages/cli-v3/src/build/extensions.ts:188-226, the override check for secretEnv and secretParentEnv uses $manifest.deploy.env[key] — the non-secret env map. This means if a key already exists as a non-secret env var with the same value, the secret version won't be added to sync.secretEnv. This is consistent with how the existing non-secret env/parentEnv dedup works, but it creates an implicit coupling: a user cannot "upgrade" an existing non-secret var to secret via syncEnvVars if the value hasn't changed, because the dedup check will suppress it. This edge case seems unlikely in practice but is worth being aware of.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intentional — mirrors the existing non-secret dedup so behavior is uniform. The "upgrade unchanged value to secret" edge case is niche and can be done via the dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant