Skip to content

feat: add --env-file / -e flag for secret injection (Issue #23)#45

Merged
seanseannery merged 10 commits intomainfrom
feat/env-file-flag
Mar 9, 2026
Merged

feat: add --env-file / -e flag for secret injection (Issue #23)#45
seanseannery merged 10 commits intomainfrom
feat/env-file-flag

Conversation

@seanseannery
Copy link
Owner

@seanseannery seanseannery commented Mar 9, 2026

Key Changes

  • New -e / --env-file <path> flag loads secrets from a .env-format file at invocation time without committing them to the Opsfile or pre-exporting them in the shell
  • Auto-loads .ops_secrets.env from the Opsfile directory when no -e flag is given (silent no-op if absent); explicit -e replaces the default, not stacks with it
  • Updated 6-level variable resolution priority (shell env wins, matching Docker Compose / Terraform convention): shell env-scoped → Opsfile env-scoped → env-file env-scoped → shell unscoped → Opsfile unscoped → env-file unscoped
  • --help documents that -e must appear before positional arguments, and that --dry-run will expose injected secret values

Why do we need this?

Opsfile variables are committed to the repo for non-sensitive config, but many operational commands require secrets (AWS tokens, DB passwords, API keys) that cannot be committed. Previously operators had to pre-export these manually in their shell session. This flag lets them point ops at a .env file at invocation time. Closes #23.

New modules or other dependencies introduced

None. internal/envfile_parser.go reuses the existing extractVariableValue helper from opsfile_parser.go. No external dependencies added.

How was this tested?

  • 6 new ParseEnvFile unit tests: quoting (single/double), comments, blank lines, env-scoped keys, empty-name error, file-not-found, directory path, Windows \r\n line endings, exact error format
  • 8 new flag parser tests: -e short/long/= syntax, duplicate flag error, missing arg error, combined with other flags, --help output assertions
  • Full 6-level priority chain tested via table-driven TestResolveVar_PriorityChain (p1–p6) plus boundary tests (env-file-scoped beats opsfile-unscoped, env-scoped key wrong-env)
  • 3 existing resolver tests corrected to reflect new shell-wins priority order
  • .ops_secrets.env auto-load, silent-skip, and bypass-when-explicit tested in cmd/ops integration path
  • All 132 tests pass, lint clean

seanseannery added 10 commits March 9, 2026 15:52
docs: add design doc for --env-file flag feature (Issue #23)
0e088d4
docs(testplan): add test plan for --env-file / -e flag (Issue #23)
7678355
docs: iterate on env-file design doc with QA feedback
e85acd1
docs: revise env-file design with user feedback — shell-wins priority…
8c5d088 
…, default .ops_secrets.env
docs: simplify -e flag to single-use (no repeat)
1bfd3a6
docs(testplan): update env-file test plan for revised design (shell-w…
3d5dd22 
…ins priority, single-use flag, default .ops_secrets.env)
docs: fix residual StringArrayP and ParseEnvFiles references
dba6d75
feat: implement --env-file / -e flag for secret injection (issue #23)
028f719 
Add -e/--env-file flag to load variables from .env files with 6-level
shell-wins priority chain. Default loads .ops_secrets.env if present.
test: add edge case tests for --env-file flag (windows CRLF, path-is-…
f41243d 
…dir, error format, P3vsP5 priority, wrong-env scoped key, help text validation)
chore: gofmt command_resolver_test.go
16b25e6
@seanseannery seanseannery merged commit 6289bdc into main Mar 9, 2026
4 checks passed
@seanseannery seanseannery mentioned this pull request Mar 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: --env-file / -e flag to inject variables from a .env file

1 participant

@seanseannery