refactor(config): derive provider API-key env vars from config#3375
Merged
Conversation
Assisted-By: docker/docker-agent
Only forward dedicated single-secret model API keys into the eval container. Exclude non-secret detection/mode flags (GOOGLE_GENAI_USE_VERTEXAI), multi-variable AWS/Bedrock credentials, and the broad GITHUB_TOKEN, none of which should leak into a privileged container. Sort output for determinism and add test coverage.
391cdde to
1c70169
Compare
Sayt-0
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The list of provider API-key env vars forwarded into the privileged eval container was hard-coded in
pkg/evaluation/eval.go. This meant every new provider required a manual update in two places, and it was easy to miss or to include vars that should not leak (mode flags, multi-variable credential sets, broad tokens).This replaces that hard-coded list with a new
ProviderAPIKeyEnvVars()helper inpkg/config/auto.go. The helper derives the list directly from the provider registry, so it stays in sync automatically. It deliberately excludes non-secret detection flags (e.g.GOOGLE_GENAI_USE_VERTEXAI), multi-variable AWS/Bedrock credential sets, and broad general-purpose tokens likeGITHUB_TOKEN— none of which belong in the eval container. Output is sorted for determinism. ATestProviderAPIKeyEnvVarstest guards the filtering logic.Two small readability refactors land alongside: an
addEnvclosure inpkg/evaluation/eval.goremoves repeated container-env boilerplate, and anInputSession.criteria()accessor inpkg/evaluation/types.godeduplicates nil-guard patterns. Both are strictly behavior-preserving.