feat(secrets): allow opt-in symlink exec command paths
This commit is contained in:
joshavant
committed by
Peter Steinberger
Peter Steinberger
parent
06290b49b2
commit
f46b9c996f
@@ -2444,7 +2444,9 @@ Validation:
|
||||
Notes:
|
||||
|
||||
- `file` provider supports `mode: "json"` and `mode: "singleValue"` (`id` must be `"value"` in singleValue mode).
|
||||
- `exec` provider requires an absolute non-symlink `command` path and uses protocol payloads on stdin/stdout.
|
||||
- `exec` provider requires an absolute `command` path and uses protocol payloads on stdin/stdout.
|
||||
- By default, symlink command paths are rejected. Set `allowSymlinkCommand: true` to allow symlink paths while validating the resolved target path.
|
||||
- If `trustedDirs` is configured, the trusted-dir check applies to the resolved target path.
|
||||
- `exec` child environment is minimal by default; pass required variables explicitly with `passEnv`.
|
||||
- Secret refs are resolved at activation time into an in-memory snapshot, then request paths read the snapshot only.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user