Skip to content

refactor(config): derive provider API-key env vars from config#3375

Merged
Sayt-0 merged 4 commits into
docker:mainfrom
dgageot:worktree-board-338f1bc0268ef201
Jul 1, 2026
Merged

refactor(config): derive provider API-key env vars from config#3375
Sayt-0 merged 4 commits into
docker:mainfrom
dgageot:worktree-board-338f1bc0268ef201

Conversation

@dgageot

@dgageot dgageot commented Jul 1, 2026

Copy link
Copy Markdown
Member

The list of provider API-key env vars forwarded into the privileged eval container was hard-coded in pkg/evaluation/eval.go. This meant every new provider required a manual update in two places, and it was easy to miss or to include vars that should not leak (mode flags, multi-variable credential sets, broad tokens).

This replaces that hard-coded list with a new ProviderAPIKeyEnvVars() helper in pkg/config/auto.go. The helper derives the list directly from the provider registry, so it stays in sync automatically. It deliberately excludes non-secret detection flags (e.g. GOOGLE_GENAI_USE_VERTEXAI), multi-variable AWS/Bedrock credential sets, and broad general-purpose tokens like GITHUB_TOKEN — none of which belong in the eval container. Output is sorted for determinism. A TestProviderAPIKeyEnvVars test guards the filtering logic.

Two small readability refactors land alongside: an addEnv closure in pkg/evaluation/eval.go removes repeated container-env boilerplate, and an InputSession.criteria() accessor in pkg/evaluation/types.go deduplicates nil-guard patterns. Both are strictly behavior-preserving.

@dgageot dgageot requested a review from a team as a code owner July 1, 2026 12:33
dgageot added 4 commits July 1, 2026 14:33
Only forward dedicated single-secret model API keys into the eval
container. Exclude non-secret detection/mode flags (GOOGLE_GENAI_USE_VERTEXAI),
multi-variable AWS/Bedrock credentials, and the broad GITHUB_TOKEN, none of
which should leak into a privileged container. Sort output for determinism
and add test coverage.
@dgageot dgageot force-pushed the worktree-board-338f1bc0268ef201 branch from 391cdde to 1c70169 Compare July 1, 2026 12:35
@Sayt-0 Sayt-0 merged commit 3089d36 into docker:main Jul 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants