Skip to content

CICD Apply fix#80

Merged
DCCoder90 merged 1 commit intomainfrom
sys-update-fix
Feb 26, 2026
Merged

CICD Apply fix#80
DCCoder90 merged 1 commit intomainfrom
sys-update-fix

Conversation

@DCCoder90
Copy link
Copy Markdown
Owner

@DCCoder90 DCCoder90 commented Feb 26, 2026

No description provided.

@DCCoder90 DCCoder90 merged commit c0dcdf6 into main Feb 26, 2026
@DCCoder90 DCCoder90 deleted the sys-update-fix branch February 26, 2026 18:59
github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 26, 2026
View reviewed changes
Comment thread .github/workflows/run-apply.yml
workspace: TF_WORKSPACE_APPS
env:
TF_WORKSPACE: ${{ matrix.workspace }}
TF_WORKSPACE: ${{ secrets[matrix.workspace] }}

Check warning

Code scanning / CodeQL

Excessive Secrets Exposure Medium

All organization and repository secrets are passed to the workflow runner in
secrets[matrix.workspace]
Loading

Copilot Autofix

AI about 2 months ago

In general, the fix is to avoid dynamically indexing into secrets and instead reference only the specific secrets that are required, using static names. For matrix workflows, that usually means either (1) mapping each matrix entry to a concrete secret name and using conditionals or distinct jobs, or (2) if the value is not truly secret, storing it in a non‑secret context like vars or the matrix definition itself.

For this workflow, TF_WORKSPACE appears to be a Terraform Cloud workspace identifier, not a secret. The cleanest fix that does not change behavior is:

  • Move the workspace values from secrets into non‑secret configuration (the matrix itself).
  • Set TF_WORKSPACE directly from the matrix value instead of from secrets[...].

Concretely, within .github/workflows/run-apply.yml:

  1. Change the matrix.include entries so that workspace contains the actual Terraform Cloud workspace name (e.g., core and apps, or whatever the current secret values are) instead of the names of secrets.
  2. Update the env block to set TF_WORKSPACE: ${{ matrix.workspace }} instead of TF_WORKSPACE: ${{ secrets[matrix.workspace] }}.

This removes the dynamic secret access and ensures the runner only receives the explicitly referenced secrets (TF_API_TOKEN and TF_ORGANIZATION), preserving existing functionality of choosing a workspace per matrix entry.

Suggested changeset 1
.github/workflows/run-apply.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/run-apply.yml b/.github/workflows/run-apply.yml
--- a/.github/workflows/run-apply.yml
+++ b/.github/workflows/run-apply.yml
@@ -23,11 +23,11 @@
       matrix:
         include:
           - name: core
-            workspace: TF_WORKSPACE_CORE
+            workspace: core
           - name: apps
-            workspace: TF_WORKSPACE_APPS
+            workspace: apps
     env:
-        TF_WORKSPACE: ${{ secrets[matrix.workspace] }}
+        TF_WORKSPACE: ${{ matrix.workspace }}
         CONFIG_DIRECTORY: "./"
 
     steps:
EOF
@@ -23,11 +23,11 @@
matrix:
include:
- name: core
workspace: TF_WORKSPACE_CORE
workspace: core
- name: apps
workspace: TF_WORKSPACE_APPS
workspace: apps
env:
TF_WORKSPACE: ${{ secrets[matrix.workspace] }}
TF_WORKSPACE: ${{ matrix.workspace }}
CONFIG_DIRECTORY: "./"

steps:
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DCCoder90 @github-advanced-security