unity-builder

game-ci/unity-builder

Fork 0

mirror of https://github.com/game-ci/unity-builder.git synced 2026-06-13 09:23:52 -07:00

Commit Graph

Author	SHA1	Message	Date
frostebite	1f3affe097	fix(secrets): prevent shell injection in secret key names and mask values - Validate secret key names against alphanumeric allowlist before shell interpolation - Apply validation in both SecretSourceService.fetchSecret() and legacy queryOverride() - Mask fetched secret values with core.setSecret() to prevent log exposure - Add 20 new tests for validation and masking Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 12:55:18 +00:00
frostebite	7f895304f4	feat(secrets): add HashiCorp Vault as first-class premade secret source Adds three Vault entries: hashicorp-vault (KV v2), hashicorp-vault-kv1 (KV v1), and vault (short alias). Uses VAULT_ADDR for server address and VAULT_MOUNT env var for configurable mount path (defaults to 'secret'). Refs #776 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 08:41:04 +00:00
frostebite	e4c156e7b0	feat(orchestrator): add premade secret sources and YAML definitions Add SecretSourceService with premade secret source integrations: - aws-secrets-manager (with --query SecretString for direct value) - aws-parameter-store (with --with-decryption) - gcp-secret-manager (latest version) - azure-key-vault (via $AZURE_VAULT_NAME env var) - env (environment variables, no shell command needed) - Custom commands (any string with {0} placeholder) - YAML file definitions for custom sources Add secretSource input that takes precedence over inputPullCommand. Backward compatible — existing inputPullCommand behavior unchanged. Closes #776 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 08:35:03 +00:00

Author

SHA1

Message

Date

frostebite

1f3affe097

fix(secrets): prevent shell injection in secret key names and mask values

- Validate secret key names against alphanumeric allowlist before shell interpolation
- Apply validation in both SecretSourceService.fetchSecret() and legacy queryOverride()
- Mask fetched secret values with core.setSecret() to prevent log exposure
- Add 20 new tests for validation and masking

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-05 12:55:18 +00:00

frostebite

7f895304f4

feat(secrets): add HashiCorp Vault as first-class premade secret source

Adds three Vault entries: hashicorp-vault (KV v2), hashicorp-vault-kv1
(KV v1), and vault (short alias). Uses VAULT_ADDR for server address and
VAULT_MOUNT env var for configurable mount path (defaults to 'secret').

Refs #776

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-05 08:41:04 +00:00

frostebite

e4c156e7b0

feat(orchestrator): add premade secret sources and YAML definitions

Add SecretSourceService with premade secret source integrations:
- aws-secrets-manager (with --query SecretString for direct value)
- aws-parameter-store (with --with-decryption)
- gcp-secret-manager (latest version)
- azure-key-vault (via $AZURE_VAULT_NAME env var)
- env (environment variables, no shell command needed)
- Custom commands (any string with {0} placeholder)
- YAML file definitions for custom sources

Add secretSource input that takes precedence over inputPullCommand.
Backward compatible — existing inputPullCommand behavior unchanged.

Closes #776

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-05 08:35:03 +00:00

3 Commits