Skip to content

feat(entry-point): add secret runtime input type and fix nonroot container volumes #206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
LuD1161 merged 2 commits into from
Jan 14, 2026
Merged

feat(entry-point): add secret runtime input type and fix nonroot container volumes #206

LuD1161 merged 2 commits into from
Jan 14, 2026

Conversation

@LuD1161
Copy link
Contributor

@LuD1161 LuD1161 commented Jan 14, 2026
edited
Loading

Summary

  • Add secret type to entry point runtime inputs (renders as password field in UI)
  • Fix IsolatedContainerVolume permissions for nonroot containers (distroless images)
  • Update documentation for both features

Changes

  • Entry Point Secret Inputs: Added 'secret' to runtime input types across worker, backend, and frontend. Secret inputs render as masked password fields in the RunWorkflowDialog.
  • Nonroot Container Support: Added setVolumePermissions() to IsolatedContainerVolume that sets chmod 777 on volume directories, allowing distroless nonroot containers (uid 65532) to write output files.
  • Documentation: Updated component-development.mdx with Entry Point Runtime Input Types section, isolated-volumes.mdx with Nonroot Container Support section, and SKILL.md quick reference.

Test plan

  • Verify secret runtime inputs render as password fields in workflow trigger dialog
  • Verify secret values flow through entry point to downstream components
  • Test Docker components using distroless nonroot images can write output files
  • Run unit tests: bun --cwd worker test

🤖 Generated with Claude Code

@LuD1161
feat(entry-point): add secret runtime input type and fix nonroot cont…
882316e 
…ainer volumes

- Add 'secret' type to entry point runtime inputs schema (worker, backend, frontend)
- Render secret inputs as password fields in RunWorkflowDialog
- Add secret option to RuntimeInputsEditor dropdown
- Fix IsolatedContainerVolume permissions for nonroot containers (distroless)
- Add setVolumePermissions() to chmod 777 after writing files
- Add tests for secret runtime inputs and port resolution
- Update docs for secret input type and nonroot container support

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
@LuD1161 LuD1161 force-pushed the eng-92/entry-point-secret-inputs branch from c1dbcc9 to 882316e Compare January 14, 2026 16:54
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 14, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

studio/worker/src/components/core/entry-point.ts

Lines 127 to 128 in c1dbcc9

outputs[inputDef.id] = value;
context.logger.info(`[EntryPoint] Output '${inputDef.id}' = ${typeof value === 'object' ? JSON.stringify(value) : value}`);

P1 Badge Avoid logging secret runtime input values

The loop logs each runtime input value verbatim; when the new secret type is used, this will emit the secret into worker logs whenever a workflow is triggered. That defeats the intent of masking in the UI and can leak credentials to log sinks (e.g., Loki). Consider skipping logging for secret inputs or redacting the value before logging.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@LuD1161
fix(worker): PTY fallback and supabase-scanner distroless compatibility
82540d0 
- Fix PTY fallback to restore -i flag when falling back to standard IO
- Update supabase-scanner for distroless image (no shell wrapper needed)
- Add maskSecretInputs helper for masking secret inputs in activity logs
- Handle custom Zod validations in DSL validator for placeholder fields
- Mask secret runtime inputs in entry-point component logs

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
@LuD1161 LuD1161 force-pushed the eng-92/entry-point-secret-inputs branch from 6079a4d to 82540d0 Compare January 14, 2026 18:37
@LuD1161 LuD1161 merged commit 5b88aaf into main Jan 14, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LuD1161