Skip to content

(refactor): cleanup ro + rw secrets files from repo and added necessary ci secrets files (.ci.admin.secrets.yaml -> sops-master + .ci.secrets.yaml -> sops-ro, both must be approved by @Patina-Network/infra)#25

Open
tahminator wants to merge 3 commits into
mainfrom
06-09-_refactor_cleanup_ro_rw_secrets_files_from_repo_and_added_necessary_ci_secrets_files_.ci.admin.secrets.yaml_-_sops-master_.ci.secrets.yaml_-_sops-ro_both_must_be_approved_by_patina-network_infra_
Open

(refactor): cleanup ro + rw secrets files from repo and added necessary ci secrets files (.ci.admin.secrets.yaml -> sops-master + .ci.secrets.yaml -> sops-ro, both must be approved by @Patina-Network/infra)#25
tahminator wants to merge 3 commits into
mainfrom
06-09-_refactor_cleanup_ro_rw_secrets_files_from_repo_and_added_necessary_ci_secrets_files_.ci.admin.secrets.yaml_-_sops-master_.ci.secrets.yaml_-_sops-ro_both_must_be_approved_by_patina-network_infra_

Conversation

@tahminator

@tahminator tahminator commented Jun 10, 2026

Copy link
Copy Markdown
Member

No description provided.

@tahminator Graphite App

tahminator commented Jun 10, 2026

Copy link
Copy Markdown
Member Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@tahminator
(refactor): cleanup ro + rw secrets files from repo and added necessa…
8c1f769 
…ry ci secrets files (.ci.admin.secrets.yaml -> sops-master + .ci.secrets.yaml -> sops-ro, both must be approved by @Patina-Network/infra)
@tahminator tahminator force-pushed the 06-09-_refactor_cleanup_ro_rw_secrets_files_from_repo_and_added_necessary_ci_secrets_files_.ci.admin.secrets.yaml_-_sops-master_.ci.secrets.yaml_-_sops-ro_both_must_be_approved_by_patina-network_infra_ branch from 69a7a48 to 8c1f769 Compare June 10, 2026 01:10
@tahminator tahminator marked this pull request as ready for review June 10, 2026 02:29
@tahminator tahminator requested review from a team as code owners June 10, 2026 02:29
@graphite-app graphite-app Bot requested review from Arshadul-Monir and arklian June 10, 2026 02:29
@graphite-app

graphite-app Bot commented Jun 10, 2026

Copy link
Copy Markdown

Graphite Automations

"Request reviewers once CI passes" took an action on this PR • (06/10/26)

2 reviewers were added to this PR based on Henry Chen's automation.

graphite-app[bot]
graphite-app Bot reviewed Jun 10, 2026
View reviewed changes
Comment thread CODEOWNERS Outdated
Comment thread CODEOWNERS Outdated
@sonarqubecloud

sonarqubecloud Bot commented Jun 10, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

graphite-app[bot]
graphite-app Bot reviewed Jun 10, 2026
View reviewed changes
Comment thread .sops.yaml
Comment on lines +5 to +8
- path_regex: ci.secrets.yaml
azure_keyvault: "https://sops-ro.vault.azure.net/keys/sops-ro-key/"
- path_regex: .*secret(s)?.*\.yaml
azure_keyvault: "https://sops-master.vault.azure.net/keys/sops-key/"

@graphite-app graphite-app Bot Jun 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Configuration mismatch: The path_regex rules will cause encryption key conflicts.

The file secrets.ci.yaml matches the second rule .*secret(s)?.*\.yaml which specifies the master vault (sops-master.vault.azure.net), but the actual file is encrypted with the ro vault (sops-ro.vault.azure.net/keys/sops-ro-key).

This will cause SOPS operations to fail when trying to edit or re-encrypt secrets.ci.yaml because SOPS will attempt to use the wrong key.

Fix: Update the first rule to match the actual filename pattern:

creation_rules:
  - path_regex: (ci|.*\.ci)\.secrets\.yaml
    azure_keyvault: "https://sops-ro.vault.azure.net/keys/sops-ro-key/"
  - path_regex: .*secret(s)?.*\.yaml
    azure_keyvault: "https://sops-master.vault.azure.net/keys/sops-key/"

Or alternatively, ensure secrets.ci.yaml is re-encrypted with the master vault to match the current regex pattern.

Suggested change
- path_regex: ci.secrets.yaml
azure_keyvault: "https://sops-ro.vault.azure.net/keys/sops-ro-key/"
- path_regex: .*secret(s)?.*\.yaml
azure_keyvault: "https://sops-master.vault.azure.net/keys/sops-key/"
- path_regex: (ci|.*\.ci)\.secrets\.yaml
azure_keyvault: "https://sops-ro.vault.azure.net/keys/sops-ro-key/"
- path_regex: .*secret(s)?.*\.yaml
azure_keyvault: "https://sops-master.vault.azure.net/keys/sops-key/"

Spotted by Graphite

Fix in Graphite

Is this helpful? React 👍 or 👎 to let us know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

@Arshadul-Monir Arshadul-Monir Awaiting requested review from Arshadul-Monir

@arklian arklian Awaiting requested review from arklian

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tahminator