+1 -1

spindle/engine/engine.go

··· 25 25 // extract secrets 26 26 var allSecrets []secrets.UnlockedSecret 27 27 if didSlashRepo, err := securejoin.SecureJoin(pipeline.RepoOwner, pipeline.RepoName); err == nil { 28 28 - if res, err := vault.GetSecretsUnlocked(ctx, secrets.DidSlashRepo(didSlashRepo)); err == nil { 28 28 + if res, err := vault.GetSecretsUnlocked(ctx, secrets.RepoIdentifier(didSlashRepo)); err == nil { 29 29 allSecrets = res 30 30 } 31 31 }

+32 -26

spindle/ingester.go

··· 228 228 return err 229 229 } 230 230 231 231 - repoAt, err := syntax.ParseATURI(record.Repo) 232 232 - if err != nil { 233 233 - l.Info("rejecting record, invalid repoAt", "repoAt", record.Repo) 234 234 - return nil 235 235 - } 231 231 + var rbacResource string 232 232 + var ownerDid string 233 233 + switch { 234 234 + case record.Repo != nil: 235 235 + repoAt, parseErr := syntax.ParseATURI(*record.Repo) 236 236 + if parseErr != nil { 237 237 + l.Info("rejecting record, invalid repoAt", "repoAt", *record.Repo) 238 238 + return nil 239 239 + } 236 240 237 237 - // TODO: get rid of this entirely 238 238 - // resolve this aturi to extract the repo record 239 239 - owner, err := s.res.ResolveIdent(ctx, repoAt.Authority().String()) 240 240 - if err != nil || owner.Handle.IsInvalidHandle() { 241 241 - return fmt.Errorf("failed to resolve handle: %w", err) 242 242 - } 241 241 + owner, resolveErr := s.res.ResolveIdent(ctx, repoAt.Authority().String()) 242 242 + if resolveErr != nil || owner.Handle.IsInvalidHandle() { 243 243 + return fmt.Errorf("failed to resolve handle: %w", resolveErr) 244 244 + } 243 245 244 244 - xrpcc := xrpc.Client{ 245 245 - Host: owner.PDSEndpoint(), 246 246 - } 246 246 + xrpcc := xrpc.Client{ 247 247 + Host: owner.PDSEndpoint(), 248 248 + } 247 249 248 248 - resp, err := comatproto.RepoGetRecord(ctx, &xrpcc, "", tangled.RepoNSID, repoAt.Authority().String(), repoAt.RecordKey().String()) 249 249 - if err != nil { 250 250 - return err 250 250 + resp, getErr := comatproto.RepoGetRecord(ctx, &xrpcc, "", tangled.RepoNSID, repoAt.Authority().String(), repoAt.RecordKey().String()) 251 251 + if getErr != nil { 252 252 + return getErr 253 253 + } 254 254 + 255 255 + repo := resp.Value.Val.(*tangled.Repo) 256 256 + rbacResource, _ = securejoin.SecureJoin(owner.DID.String(), repo.Name) 257 257 + ownerDid = owner.DID.String() 258 258 + 259 259 + default: 260 260 + l.Info("rejecting collaborator record without repo at-uri (spindle RBAC keyed by owner/name)") 261 261 + return nil 251 262 } 252 263 253 253 - repo := resp.Value.Val.(*tangled.Repo) 254 254 - didSlashRepo, _ := securejoin.SecureJoin(owner.DID.String(), repo.Name) 255 255 - 256 256 - // check perms for this user 257 257 - if ok, err := s.e.IsCollaboratorInviteAllowed(owner.DID.String(), rbac.ThisServer, didSlashRepo); !ok || err != nil { 264 264 + if ok, err := s.e.IsCollaboratorInviteAllowed(ownerDid, rbac.ThisServer, rbacResource); !ok || err != nil { 258 265 return fmt.Errorf("insufficient permissions: %w", err) 259 266 } 260 267 261 261 - // add collaborator to rbac 262 262 - if err := s.e.AddCollaborator(record.Subject, rbac.ThisServer, didSlashRepo); err != nil { 263 263 - l.Error("failed to add repo to enforcer", "error", err) 264 264 - return fmt.Errorf("failed to add repo: %w", err) 268 268 + if err := s.e.AddCollaborator(record.Subject, rbac.ThisServer, rbacResource); err != nil { 269 269 + l.Error("failed to add collaborator to enforcer", "error", err) 270 270 + return fmt.Errorf("failed to add collaborator: %w", err) 265 271 } 266 272 267 273 return nil

+8 -2

spindle/models/clone.go

··· 120 120 host = strings.ReplaceAll(host, "localhost", "host.docker.internal") 121 121 } 122 122 123 123 - // Build URL: {scheme}{knot}/{did}/{repo} 124 124 - return fmt.Sprintf("%s%s/%s/%s", scheme, host, repo.Did, repo.Repo) 123 123 + switch { 124 124 + case repo.RepoDid != nil: 125 125 + return fmt.Sprintf("%s%s/%s", scheme, host, *repo.RepoDid) 126 126 + case repo.Repo != nil: 127 127 + return fmt.Sprintf("%s%s/%s/%s", scheme, host, repo.Did, *repo.Repo) 128 128 + default: 129 129 + return "" 130 130 + } 125 131 } 126 132 127 133 // buildFetchArgs constructs the arguments for git fetch based on clone options

+6 -1

spindle/models/pipeline_env.go

··· 26 26 if tr.Repo != nil { 27 27 env["TANGLED_REPO_KNOT"] = tr.Repo.Knot 28 28 env["TANGLED_REPO_DID"] = tr.Repo.Did 29 29 - env["TANGLED_REPO_NAME"] = tr.Repo.Repo 29 29 + if tr.Repo.Repo != nil { 30 30 + env["TANGLED_REPO_NAME"] = *tr.Repo.Repo 31 31 + } 32 32 + if tr.Repo.RepoDid != nil { 33 33 + env["TANGLED_REPO_REPO_DID"] = *tr.Repo.RepoDid 34 34 + } 30 35 env["TANGLED_REPO_DEFAULT_BRANCH"] = tr.Repo.DefaultBranch 31 36 env["TANGLED_REPO_URL"] = BuildRepoURL(tr.Repo, devMode) 32 37 }

+4 -4

spindle/secrets/manager.go

··· 9 9 "github.com/bluesky-social/indigo/atproto/syntax" 10 10 ) 11 11 12 12 - type DidSlashRepo string 12 12 + type RepoIdentifier string 13 13 14 14 type Secret[T any] struct { 15 15 Key string 16 16 Value T 17 17 - Repo DidSlashRepo 17 17 + Repo RepoIdentifier 18 18 CreatedAt time.Time 19 19 CreatedBy syntax.DID 20 20 } ··· 29 29 type Manager interface { 30 30 AddSecret(ctx context.Context, secret UnlockedSecret) error 31 31 RemoveSecret(ctx context.Context, secret Secret[any]) error 32 32 - GetSecretsLocked(ctx context.Context, repo DidSlashRepo) ([]LockedSecret, error) 33 33 - GetSecretsUnlocked(ctx context.Context, repo DidSlashRepo) ([]UnlockedSecret, error) 32 32 + GetSecretsLocked(ctx context.Context, repo RepoIdentifier) ([]LockedSecret, error) 33 33 + GetSecretsUnlocked(ctx context.Context, repo RepoIdentifier) ([]UnlockedSecret, error) 34 34 } 35 35 36 36 // stopper interface for managers that need cleanup

+5 -5

spindle/secrets/openbao.go

··· 149 149 return nil 150 150 } 151 151 152 152 - func (v *OpenBaoManager) GetSecretsLocked(ctx context.Context, repo DidSlashRepo) ([]LockedSecret, error) { 152 152 + func (v *OpenBaoManager) GetSecretsLocked(ctx context.Context, repo RepoIdentifier) ([]LockedSecret, error) { 153 153 repoPath := v.buildRepoPath(repo) 154 154 155 155 secretsList, err := v.client.Logical().ListWithContext(ctx, fmt.Sprintf("%s/metadata/%s", v.mountPath, repoPath)) ··· 224 224 return secrets, nil 225 225 } 226 226 227 227 - func (v *OpenBaoManager) GetSecretsUnlocked(ctx context.Context, repo DidSlashRepo) ([]UnlockedSecret, error) { 227 227 + func (v *OpenBaoManager) GetSecretsUnlocked(ctx context.Context, repo RepoIdentifier) ([]UnlockedSecret, error) { 228 228 repoPath := v.buildRepoPath(repo) 229 229 230 230 secretsList, err := v.client.Logical().ListWithContext(ctx, fmt.Sprintf("%s/metadata/%s", v.mountPath, repoPath)) ··· 307 307 } 308 308 309 309 // buildRepoPath creates a safe path for a repository 310 310 - func (v *OpenBaoManager) buildRepoPath(repo DidSlashRepo) string { 311 311 - // convert DidSlashRepo to a safe path by replacing special characters 310 310 + func (v *OpenBaoManager) buildRepoPath(repo RepoIdentifier) string { 311 311 + // convert RepoIdentifier to a safe path by replacing special characters 312 312 repoPath := strings.ReplaceAll(string(repo), "/", "_") 313 313 repoPath = strings.ReplaceAll(repoPath, ":", "_") 314 314 repoPath = strings.ReplaceAll(repoPath, ".", "_") ··· 316 316 } 317 317 318 318 // buildSecretPath creates a path for a specific secret 319 319 - func (v *OpenBaoManager) buildSecretPath(repo DidSlashRepo, key string) string { 319 319 + func (v *OpenBaoManager) buildSecretPath(repo RepoIdentifier, key string) string { 320 320 return path.Join(v.buildRepoPath(repo), key) 321 321 }

+17 -17

spindle/secrets/openbao_test.go

··· 32 32 m.errorToReturn = nil 33 33 } 34 34 35 35 - func (m *MockOpenBaoManager) buildKey(repo DidSlashRepo, key string) string { 35 35 + func (m *MockOpenBaoManager) buildKey(repo RepoIdentifier, key string) string { 36 36 return string(repo) + "_" + key 37 37 } 38 38 ··· 64 64 return nil 65 65 } 66 66 67 67 - func (m *MockOpenBaoManager) GetSecretsLocked(ctx context.Context, repo DidSlashRepo) ([]LockedSecret, error) { 67 67 + func (m *MockOpenBaoManager) GetSecretsLocked(ctx context.Context, repo RepoIdentifier) ([]LockedSecret, error) { 68 68 if m.shouldError { 69 69 return nil, m.errorToReturn 70 70 } ··· 84 84 return result, nil 85 85 } 86 86 87 87 - func (m *MockOpenBaoManager) GetSecretsUnlocked(ctx context.Context, repo DidSlashRepo) ([]UnlockedSecret, error) { 87 87 + func (m *MockOpenBaoManager) GetSecretsUnlocked(ctx context.Context, repo RepoIdentifier) ([]UnlockedSecret, error) { 88 88 if m.shouldError { 89 89 return nil, m.errorToReturn 90 90 } ··· 103 103 return UnlockedSecret{ 104 104 Key: key, 105 105 Value: value, 106 106 - Repo: DidSlashRepo(repo), 106 106 + Repo: RepoIdentifier(repo), 107 107 CreatedAt: time.Now(), 108 108 CreatedBy: syntax.DID(createdBy), 109 109 } ··· 173 173 174 174 tests := []struct { 175 175 name string 176 176 - repo DidSlashRepo 176 176 + repo RepoIdentifier 177 177 key string 178 178 expected string 179 179 }{ 180 180 { 181 181 name: "simple repo path", 182 182 - repo: DidSlashRepo("did:plc:foo/repo"), 182 182 + repo: RepoIdentifier("did:plc:foo/repo"), 183 183 key: "api_key", 184 184 expected: "repos/did_plc_foo_repo/api_key", 185 185 }, 186 186 { 187 187 name: "complex repo path with dots", 188 188 - repo: DidSlashRepo("did:web:example.com/my-repo"), 188 188 + repo: RepoIdentifier("did:web:example.com/my-repo"), 189 189 key: "secret_key", 190 190 expected: "repos/did_web_example_com_my-repo/secret_key", 191 191 }, ··· 204 204 205 205 tests := []struct { 206 206 name string 207 207 - repo DidSlashRepo 207 207 + repo RepoIdentifier 208 208 expected string 209 209 }{ 210 210 { ··· 310 310 }, 311 311 removeSecret: Secret[any]{ 312 312 Key: "API_KEY", 313 313 - Repo: DidSlashRepo("did:plc:test/repo1"), 313 313 + Repo: RepoIdentifier("did:plc:test/repo1"), 314 314 }, 315 315 expectError: false, 316 316 }, ··· 319 319 setupSecrets: []UnlockedSecret{}, 320 320 removeSecret: Secret[any]{ 321 321 Key: "API_KEY", 322 322 - Repo: DidSlashRepo("did:plc:test/repo1"), 322 322 + Repo: RepoIdentifier("did:plc:test/repo1"), 323 323 }, 324 324 expectError: true, 325 325 }, ··· 352 352 tests := []struct { 353 353 name string 354 354 setupSecrets []UnlockedSecret 355 355 - queryRepo DidSlashRepo 355 355 + queryRepo RepoIdentifier 356 356 expectedCount int 357 357 expectedKeys []string 358 358 expectError bool ··· 364 364 createTestSecretForOpenBao("did:plc:test/repo1", "DB_PASSWORD", "dbpass456", "did:plc:creator"), 365 365 createTestSecretForOpenBao("did:plc:test/repo2", "OTHER_KEY", "other789", "did:plc:creator"), 366 366 }, 367 367 - queryRepo: DidSlashRepo("did:plc:test/repo1"), 367 367 + queryRepo: RepoIdentifier("did:plc:test/repo1"), 368 368 expectedCount: 2, 369 369 expectedKeys: []string{"API_KEY", "DB_PASSWORD"}, 370 370 expectError: false, ··· 372 372 { 373 373 name: "get secrets from empty repo", 374 374 setupSecrets: []UnlockedSecret{}, 375 375 - queryRepo: DidSlashRepo("did:plc:test/empty"), 375 375 + queryRepo: RepoIdentifier("did:plc:test/empty"), 376 376 expectedCount: 0, 377 377 expectedKeys: []string{}, 378 378 expectError: false, ··· 417 417 tests := []struct { 418 418 name string 419 419 setupSecrets []UnlockedSecret 420 420 - queryRepo DidSlashRepo 420 420 + queryRepo RepoIdentifier 421 421 expectedCount int 422 422 expectedSecrets map[string]string // key -> value 423 423 expectError bool ··· 429 429 createTestSecretForOpenBao("did:plc:test/repo1", "DB_PASSWORD", "dbpass456", "did:plc:creator"), 430 430 createTestSecretForOpenBao("did:plc:test/repo2", "OTHER_KEY", "other789", "did:plc:creator"), 431 431 }, 432 432 - queryRepo: DidSlashRepo("did:plc:test/repo1"), 432 432 + queryRepo: RepoIdentifier("did:plc:test/repo1"), 433 433 expectedCount: 2, 434 434 expectedSecrets: map[string]string{ 435 435 "API_KEY": "secret123", ··· 440 440 { 441 441 name: "get secrets from empty repo", 442 442 setupSecrets: []UnlockedSecret{}, 443 443 - queryRepo: DidSlashRepo("did:plc:test/empty"), 443 443 + queryRepo: RepoIdentifier("did:plc:test/empty"), 444 444 expectedCount: 0, 445 445 expectedSecrets: map[string]string{}, 446 446 expectError: false, ··· 521 521 name: "complete workflow", 522 522 scenario: func(t *testing.T, mock *MockOpenBaoManager) { 523 523 ctx := context.Background() 524 524 - repo := DidSlashRepo("did:plc:test/integration") 524 524 + repo := RepoIdentifier("did:plc:test/integration") 525 525 526 526 // Start with empty repo 527 527 secrets, err := mock.GetSecretsLocked(ctx, repo)

+2 -2

spindle/secrets/sqlite.go

··· 107 107 return nil 108 108 } 109 109 110 110 - func (s *SqliteManager) GetSecretsLocked(ctx context.Context, didSlashRepo DidSlashRepo) ([]LockedSecret, error) { 110 110 + func (s *SqliteManager) GetSecretsLocked(ctx context.Context, didSlashRepo RepoIdentifier) ([]LockedSecret, error) { 111 111 query := fmt.Sprintf(` 112 112 select repo, key, created_at, created_by from %s where repo = ?; 113 113 `, s.tableName) ··· 139 139 return ls, nil 140 140 } 141 141 142 142 - func (s *SqliteManager) GetSecretsUnlocked(ctx context.Context, didSlashRepo DidSlashRepo) ([]UnlockedSecret, error) { 142 142 + func (s *SqliteManager) GetSecretsUnlocked(ctx context.Context, didSlashRepo RepoIdentifier) ([]UnlockedSecret, error) { 143 143 query := fmt.Sprintf(` 144 144 select repo, key, value, created_at, created_by from %s where repo = ?; 145 145 `, s.tableName)

+21 -21

spindle/secrets/sqlite_test.go

··· 22 22 return UnlockedSecret{ 23 23 Key: key, 24 24 Value: value, 25 25 - Repo: DidSlashRepo(repo), 25 25 + Repo: RepoIdentifier(repo), 26 26 CreatedAt: time.Now(), 27 27 CreatedBy: syntax.DID(createdBy), 28 28 } ··· 147 147 }, 148 148 removeSecret: Secret[any]{ 149 149 Key: "api_key", 150 150 - Repo: DidSlashRepo("did:plc:foo/repo"), 150 150 + Repo: RepoIdentifier("did:plc:foo/repo"), 151 151 }, 152 152 expectError: nil, 153 153 }, ··· 158 158 }, 159 159 removeSecret: Secret[any]{ 160 160 Key: "non_existent_key", 161 161 - Repo: DidSlashRepo("did:plc:foo/repo"), 161 161 + Repo: RepoIdentifier("did:plc:foo/repo"), 162 162 }, 163 163 expectError: ErrKeyNotFound, 164 164 }, ··· 167 167 setupSecrets: []UnlockedSecret{}, 168 168 removeSecret: Secret[any]{ 169 169 Key: "any_key", 170 170 - Repo: DidSlashRepo("did:plc:foo/repo"), 170 170 + Repo: RepoIdentifier("did:plc:foo/repo"), 171 171 }, 172 172 expectError: ErrKeyNotFound, 173 173 }, ··· 178 178 }, 179 179 removeSecret: Secret[any]{ 180 180 Key: "api_key", 181 181 - Repo: DidSlashRepo("other.com/repo"), 181 181 + Repo: RepoIdentifier("other.com/repo"), 182 182 }, 183 183 expectError: ErrKeyNotFound, 184 184 }, ··· 209 209 tests := []struct { 210 210 name string 211 211 setupSecrets []UnlockedSecret 212 212 - queryRepo DidSlashRepo 212 212 + queryRepo RepoIdentifier 213 213 expectedCount int 214 214 expectedKeys []string 215 215 expectError bool ··· 221 221 createTestSecret("did:plc:foo/repo", "key2", "value2", "did:plc:user2"), 222 222 createTestSecret("other.com/repo", "key3", "value3", "did:plc:user3"), 223 223 }, 224 224 - queryRepo: DidSlashRepo("did:plc:foo/repo"), 224 224 + queryRepo: RepoIdentifier("did:plc:foo/repo"), 225 225 expectedCount: 2, 226 226 expectedKeys: []string{"key1", "key2"}, 227 227 expectError: false, ··· 232 232 createTestSecret("did:plc:foo/repo", "single_key", "single_value", "did:plc:user1"), 233 233 createTestSecret("other.com/repo", "other_key", "other_value", "did:plc:user2"), 234 234 }, 235 235 - queryRepo: DidSlashRepo("did:plc:foo/repo"), 235 235 + queryRepo: RepoIdentifier("did:plc:foo/repo"), 236 236 expectedCount: 1, 237 237 expectedKeys: []string{"single_key"}, 238 238 expectError: false, ··· 242 242 setupSecrets: []UnlockedSecret{ 243 243 createTestSecret("did:plc:foo/repo", "key1", "value1", "did:plc:user1"), 244 244 }, 245 245 - queryRepo: DidSlashRepo("nonexistent.com/repo"), 245 245 + queryRepo: RepoIdentifier("nonexistent.com/repo"), 246 246 expectedCount: 0, 247 247 expectedKeys: []string{}, 248 248 expectError: false, ··· 250 250 { 251 251 name: "get secrets from empty database", 252 252 setupSecrets: []UnlockedSecret{}, 253 253 - queryRepo: DidSlashRepo("did:plc:foo/repo"), 253 253 + queryRepo: RepoIdentifier("did:plc:foo/repo"), 254 254 expectedCount: 0, 255 255 expectedKeys: []string{}, 256 256 expectError: false, ··· 311 311 tests := []struct { 312 312 name string 313 313 setupSecrets []UnlockedSecret 314 314 - queryRepo DidSlashRepo 314 314 + queryRepo RepoIdentifier 315 315 expectedCount int 316 316 expectedSecrets map[string]string // key -> value 317 317 expectError bool ··· 323 323 createTestSecret("did:plc:foo/repo", "key2", "value2", "did:plc:user2"), 324 324 createTestSecret("other.com/repo", "key3", "value3", "did:plc:user3"), 325 325 }, 326 326 - queryRepo: DidSlashRepo("did:plc:foo/repo"), 326 326 + queryRepo: RepoIdentifier("did:plc:foo/repo"), 327 327 expectedCount: 2, 328 328 expectedSecrets: map[string]string{ 329 329 "key1": "value1", ··· 337 337 createTestSecret("did:plc:foo/repo", "single_key", "single_value", "did:plc:user1"), 338 338 createTestSecret("other.com/repo", "other_key", "other_value", "did:plc:user2"), 339 339 }, 340 340 - queryRepo: DidSlashRepo("did:plc:foo/repo"), 340 340 + queryRepo: RepoIdentifier("did:plc:foo/repo"), 341 341 expectedCount: 1, 342 342 expectedSecrets: map[string]string{ 343 343 "single_key": "single_value", ··· 349 349 setupSecrets: []UnlockedSecret{ 350 350 createTestSecret("did:plc:foo/repo", "key1", "value1", "did:plc:user1"), 351 351 }, 352 352 - queryRepo: DidSlashRepo("nonexistent.com/repo"), 352 352 + queryRepo: RepoIdentifier("nonexistent.com/repo"), 353 353 expectedCount: 0, 354 354 expectedSecrets: map[string]string{}, 355 355 expectError: false, ··· 357 357 { 358 358 name: "get unlocked secrets from empty database", 359 359 setupSecrets: []UnlockedSecret{}, 360 360 - queryRepo: DidSlashRepo("did:plc:foo/repo"), 360 360 + queryRepo: RepoIdentifier("did:plc:foo/repo"), 361 361 expectedCount: 0, 362 362 expectedSecrets: map[string]string{}, 363 363 expectError: false, ··· 429 429 return m.AddSecret(context.Background(), secret) 430 430 }, 431 431 func(m Manager) error { 432 432 - _, err := m.GetSecretsLocked(context.Background(), DidSlashRepo("interface.test/repo")) 432 432 + _, err := m.GetSecretsLocked(context.Background(), RepoIdentifier("interface.test/repo")) 433 433 return err 434 434 }, 435 435 func(m Manager) error { 436 436 - _, err := m.GetSecretsUnlocked(context.Background(), DidSlashRepo("interface.test/repo")) 436 436 + _, err := m.GetSecretsUnlocked(context.Background(), RepoIdentifier("interface.test/repo")) 437 437 return err 438 438 }, 439 439 func(m Manager) error { 440 440 secret := Secret[any]{ 441 441 Key: "test_key", 442 442 - Repo: DidSlashRepo("interface.test/repo"), 442 442 + Repo: RepoIdentifier("interface.test/repo"), 443 443 } 444 444 return m.RemoveSecret(context.Background(), secret) 445 445 }, ··· 498 498 { 499 499 name: "multi-repo secret management", 500 500 scenario: func(t *testing.T, manager *SqliteManager) { 501 501 - repo1 := DidSlashRepo("example1.com/repo") 502 502 - repo2 := DidSlashRepo("example2.com/repo") 501 501 + repo1 := RepoIdentifier("example1.com/repo") 502 502 + repo2 := RepoIdentifier("example2.com/repo") 503 503 504 504 secrets := []UnlockedSecret{ 505 505 createTestSecret(string(repo1), "db_password", "super_secret_123", "did:plc:admin"), ··· 543 543 { 544 544 name: "empty database operations", 545 545 scenario: func(t *testing.T, manager *SqliteManager) { 546 546 - repo := DidSlashRepo("empty.test/repo") 546 546 + repo := RepoIdentifier("empty.test/repo") 547 547 548 548 // Operations on empty database should not error 549 549 locked, err := manager.GetSecretsLocked(context.Background(), repo)

+7 -2

spindle/server.go

··· 315 315 } 316 316 317 317 // filter by repos 318 318 + repoName := "" 319 319 + if tpl.TriggerMetadata.Repo.Repo != nil { 320 320 + repoName = *tpl.TriggerMetadata.Repo.Repo 321 321 + } 322 322 + 318 323 _, err = s.db.GetRepo( 319 324 tpl.TriggerMetadata.Repo.Knot, 320 325 tpl.TriggerMetadata.Repo.Did, 321 321 - tpl.TriggerMetadata.Repo.Repo, 326 326 + repoName, 322 327 ) 323 328 if err != nil { 324 329 return fmt.Errorf("failed to get repo: %w", err) ··· 382 387 Run: func() error { 383 388 engine.StartWorkflows(log.SubLogger(s.l, "engine"), s.vault, s.cfg, s.db, s.n, ctx, &models.Pipeline{ 384 389 RepoOwner: tpl.TriggerMetadata.Repo.Did, 385 385 - RepoName: tpl.TriggerMetadata.Repo.Repo, 390 390 + RepoName: repoName, 386 391 Workflows: workflows, 387 392 }, pipelineId) 388 393 return nil

+1 -1

spindle/xrpc/add_secret.go

··· 75 75 } 76 76 77 77 secret := secrets.UnlockedSecret{ 78 78 - Repo: secrets.DidSlashRepo(didPath), 78 78 + Repo: secrets.RepoIdentifier(didPath), 79 79 Key: data.Key, 80 80 Value: data.Value, 81 81 CreatedAt: time.Now(),

+1 -1

spindle/xrpc/list_secrets.go

··· 69 69 return 70 70 } 71 71 72 72 - ls, err := x.Vault.GetSecretsLocked(r.Context(), secrets.DidSlashRepo(didPath)) 72 72 + ls, err := x.Vault.GetSecretsLocked(r.Context(), secrets.RepoIdentifier(didPath)) 73 73 if err != nil { 74 74 l.Error("failed to get secret from vault", "did", actorDid.String(), "err", err) 75 75 writeError(w, xrpcerr.GenericError(err), http.StatusInternalServerError)

+1 -1

spindle/xrpc/remove_secret.go

··· 69 69 } 70 70 71 71 secret := secrets.Secret[any]{ 72 72 - Repo: secrets.DidSlashRepo(didPath), 72 72 + Repo: secrets.RepoIdentifier(didPath), 73 73 Key: data.Key, 74 74 } 75 75 err = x.Vault.RemoveSecret(r.Context(), secret)