[#1601] Mask `PACKAGE_TOKEN` during Docker build. #1816

AlexSkrypnyk · 2025-07-22T07:02:29Z

Summary by CodeRabbit

Chores
- Improved secure handling of package tokens by integrating Docker secrets for the CLI service across configuration and test fixture files.
- Updated environment variable management in workflow jobs to streamline token usage and enhance security.
- Adjusted test fixtures to include secret definitions and references for consistent build processes.

coderabbitai · 2025-07-22T07:02:37Z

Walkthrough

The changes introduce Docker secrets management for securely handling the PACKAGE_TOKEN used during the build of the cli service. Docker Compose and related JSON fixtures now define and reference a package_token secret. The Dockerfile was updated to read the token from a mounted secret if available, with fallback to the environment variable.

Changes

File(s)	Change Summary
.docker/cli.dockerfile	Updated PHP dependency installation to use Docker BuildKit secrets for `PACKAGE_TOKEN`; added hadolint ignore comment.
docker-compose.yml	Added `secrets` section; defined and referenced `package_token` for the `cli` service.
.github/workflows/build-test-deploy.yml	Reordered environment variables; removed explicit `PACKAGE_TOKEN` in some steps; no control flow changes.
.vortex/tests/bats/fixtures/docker-compose.env.json .vortex/tests/bats/fixtures/docker-compose.env_local.json .vortex/tests/bats/fixtures/docker-compose.env_mod.json .vortex/tests/bats/fixtures/docker-compose.noenv.json	Added top-level `secrets` section with `package_token`; referenced in `cli` service build configuration.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant Docker Compose
    participant Docker BuildKit
    participant Dockerfile
    participant Composer

    Developer->>Docker Compose: Start cli service build
    Docker Compose->>Docker BuildKit: Pass package_token secret (from env)
    Docker BuildKit->>Dockerfile: Mount /run/secrets/package_token if secret exists
    Dockerfile->>Dockerfile: Read package_token from secret file or env var
    Dockerfile->>Composer: Set COMPOSER_AUTH with token (if found)
    Dockerfile->>Composer: Install PHP dependencies

Estimated code review effort

3 (~40 minutes)

Poem

A secret token, tucked away,
Now hidden safe where secrets stay.
No more peeking, no more fear—
Docker whispers, "Your token's clear!"
With Compose and BuildKit in the mix,
Our builds are clever, safe, and slick.
🐇✨

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3521043 and dae2f03.

📒 Files selected for processing (2)

.docker/cli.dockerfile (1 hunks)
docker-compose.yml (2 hunks)

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

docker-compose.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

docker-compose.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

GitHub Check: build (1)
GitHub Check: vortex-test-deployment (0)
GitHub Check: vortex-test-deployment (1)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-installer (8.2)

🔇 Additional comments (2)

docker-compose.yml (2)

102-104: Great switch to BuildKit secrets

Moving the token from build-args to secrets eliminates it from the image history—well done.
No issues spotted in this hunk.

275-277: Ensure Compose file version ≥ 3.1

Top-level secrets: requires Compose schema 3.1+.
If the version: key is absent or still set to 2.x/3.0, older runtimes will ignore the section and the build will break.

Please confirm the file header declares version: "3.8" (or later).

.docker/cli.dockerfile

coderabbitai

Actionable comments posted: 1

🔭 Outside diff range comments (1)

docker-compose.yml (1)
275-278: Limit the secret to build-time only

Declaring github_token at the top level means it can be attached at runtime.
If nothing needs the token after build, tighten the scope:
-  github_token:
-    environment: GITHUB_TOKEN
+  github_token:
+    environment: GITHUB_TOKEN
+    # runtime: no
(or define it only under cli.build.secrets).

♻️ Duplicate comments (2)

.docker/cli.dockerfile (2)
72-77: Still missing BuildKit header & mandatory secret flag

Previous feedback stands: add the frontend header and mark the secret as required to avoid silent fall-back to unauthenticated installs.
+# syntax=docker/dockerfile:1.6
 …
-RUN --mount=type=secret,id=github_token \
+RUN --mount=type=secret,id=github_token,required=true \
74-77: Token persists in the layer

export COMPOSER_AUTH=… keeps the token in the shell for the rest of the layer. Inline it for the Composer process only (see prior suggestion with jq) to avoid lingering secrets.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dae2f03 and 1c1f1ef.

📒 Files selected for processing (2)

.docker/cli.dockerfile (2 hunks)
docker-compose.yml (2 hunks)

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

docker-compose.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

docker-compose.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

GitHub Check: build (1)
GitHub Check: build (0)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-deployment (0)
GitHub Check: vortex-test-deployment (1)
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-installer (8.2)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-docs

🔇 Additional comments (2)

docker-compose.yml (2)

102-104: Add DOCKER_BUILDKIT=1 in CI to guarantee secret mount availability

build.secrets only works when BuildKit is enabled. Classic Docker falls back to the legacy builder and silently drops the secret, which will break authenticated Composer installs. Ensure your local and CI runners export DOCKER_BUILDKIT=1 (or use Compose v2.20+ with the BuildKit front-end).

102-104: Secret-based build arg switch looks good

Replacing the plain build-arg with a BuildKit secret keeps the token out of layer history. Nice hardening step.

.docker/cli.dockerfile

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1c1f1ef and 807c990.

📒 Files selected for processing (2)

.circleci/config.yml (1 hunks)
.github/workflows/build-test-deploy.yml (1 hunks)

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.circleci/config.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.circleci/config.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

GitHub Check: build (1)
GitHub Check: build (0)
GitHub Check: vortex-test-deployment (1)
GitHub Check: vortex-test-deployment (0)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-installer (8.2)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-docs

🔇 Additional comments (1)

.circleci/config.yml (1)

80-80: Verify remote Docker Engine BuildKit support

DOCKER_BUILDKIT only enables the client; CircleCI’s remote Docker daemon may silently ignore it if it’s older than 18.09, breaking features like secret mounts.

• Add a check inside your build job to print the server version at runtime:
- run:
    name: Check remote Docker server version
    command: docker version --format 'Server: {{.Server.Version}}'
• Confirm the logged version is ≥18.09 (23.x+ recommended).
• For consistency, add DOCKER_BUILDKIT: 1 under the environment: section of any other jobs that build Docker images (e.g., database).

.github/workflows/build-test-deploy.yml

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/build-test-deploy.yml (1)

259-261: Same duplication of GITHUB_TOKEN here

Repeat of the previous issue – centralise the secret and delete these lines after moving the env definition to the job container block.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a7e02f4 and 82610be.

📒 Files selected for processing (1)

.github/workflows/build-test-deploy.yml (2 hunks)

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

GitHub Check: build (1)
GitHub Check: build (0)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-deployment (1)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-deployment (0)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-installer (8.2)
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-docs

.github/workflows/build-test-deploy.yml

codecov · 2025-07-23T00:23:40Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.51%. Comparing base (f5bf6d6) to head (f66048f).
Report is 2 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #1816   +/-   ##
========================================
  Coverage    74.51%   74.51%           
========================================
  Files           84       84           
  Lines         4760     4760           
  Branches        35       35           
========================================
  Hits          3547     3547           
  Misses        1213     1213

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

.docker/cli.dockerfile (1)

5-5: Global SC2155 suppression is still too coarse (duplicate)

The project-wide ignore continues to mask unrelated shellcheck issues. Please replace it with local # shellcheck disable=SC2155 annotations only where absolutely necessary.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 82610be and 585d929.

📒 Files selected for processing (1)

.docker/cli.dockerfile (2 hunks)

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

GitHub Check: build (0)
GitHub Check: build (1)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-deployment (0)
GitHub Check: vortex-test-deployment (1)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-installer (8.2)
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-docs

coderabbitai · 2025-07-23T00:34:35Z

.docker/cli.dockerfile

+# Install PHP dependencies without development packages to avoid exposing
+# potential security vulnerabilities in the production environment.
+RUN --mount=type=secret,id=github_token \
+    if [ -s /run/secrets/github_token ]; then export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"$(cat /run/secrets/github_token)\"}}"; exit 1; fi && \
    COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader


🛠️ Refactor suggestion

⚠️ Potential issue

RUN layer aborts the build & secret is not marked required

exit 1 inside the if block unconditionally fails the layer whenever the token file exists, stopping the build.

Omitting required=true means the build proceeds silently without auth if the secret is missing—exactly what we’re trying to prevent.

The token is exported into the shell environment for the remainder of the layer, increasing exposure risk.

Minimal fix:

-RUN --mount=type=secret,id=github_token \ - if [ -s /run/secrets/github_token ]; then export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"$(cat /run/secrets/github_token)\"}}"; exit 1; fi && \ +RUN --mount=type=secret,id=github_token,required=true \ + if [ -s /run/secrets/github_token ]; then \ + export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"$(cat /run/secrets/github_token)\"}}"; \ + fi && \ COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader

(Optionally switch to an in-memory COMPOSER_AUTH via jq to avoid export; see prior nitpick.)

Also add the BuildKit frontend header at the very top of the file to guarantee --mount=type=secret support:

# syntax=docker/dockerfile:1.6

🤖 Prompt for AI Agents

In .docker/cli.dockerfile around lines 72 to 76, the RUN command incorrectly uses 'exit 1' inside the if block, causing the build to fail whenever the secret token exists, and the secret is not marked as required, allowing the build to proceed without authentication if the secret is missing. To fix this, remove the 'exit 1' to prevent build abortion, add 'required=true' to the secret mount to enforce presence of the token, and avoid exporting the token to the shell environment by setting COMPOSER_AUTH in-memory (e.g., using jq or inline JSON). Also, add the BuildKit frontend header '# syntax=docker/dockerfile:1.6' at the top of the Dockerfile to ensure secret mount support.

coderabbitai

Actionable comments posted: 1

🔭 Outside diff range comments (1)

.docker/cli.dockerfile (1)
1-4: Add # syntax=docker/dockerfile:1.6 to guarantee BuildKit frontend ≥ 1.6
--mount=type=secret is parsed only by the BuildKit frontend. Without the header, older/implicit front-ends silently ignore the mount, breaking the build when the secret path is referenced.
Proposed patch:
+# syntax=docker/dockerfile:1.6
 # CLI container.

♻️ Duplicate comments (1)

.docker/cli.dockerfile (1)

5-5: Global suppression of SC2155 repeats a previously-flagged smell
See earlier review: the blanket ignore hides unrelated issues; limit the suppression to the specific line that needs it.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 585d929 and 494f23d.

📒 Files selected for processing (1)

.docker/cli.dockerfile (2 hunks)

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

GitHub Check: build (0)
GitHub Check: build (1)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-deployment (1)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-deployment (0)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-installer (8.2)
GitHub Check: vortex-test-docs

.docker/cli.dockerfile

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (5)

.docker/cli.dockerfile (2)
72-76: Secret mount still optional & token still exported – please hard-fail and inline it

The layer proceeds without authentication when the secret is missing and still exports the token into the shell.
Mark the secret required=true, keep the token in-memory only for Composer, and drop the export to shrink exposure.
-# Install PHP dependencies without development packages to avoid exposing
-# potential security vulnerabilities in the production environment.
-RUN --mount=type=secret,id=github_token \
-    if [ -s /run/secrets/github_token ]; then export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"$(cat /run/secrets/github_token)\"}}"; fi && \
-    COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader
+# syntax=docker/dockerfile:1.6
+# Install PHP deps (prod) with mandatory GitHub auth, keep token in-memory only
+RUN --mount=type=secret,id=github_token,required=true \
+    if [ -s /run/secrets/github_token ]; then \
+      # shellcheck disable=SC2155
+      COMPOSER_AUTH="$(jq -cn --arg tok "$(cat /run/secrets/github_token)" \
+        '{\"github-oauth\": {\"github.com\": $tok}}')" \
+    fi && \
+    COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader
5-5: Remove global SC2155 suppression – go local instead

Project-wide mute hides future issues; keep only DL3018 globally and add a line-local # shellcheck disable=SC2155 where needed (see diff above).
.github/workflows/build-test-deploy.yml (1)
241-260: DRY up GITHUB_TOKEN – set once at container.env

GITHUB_TOKEN is now repeated per step. Define it once in the job’s container.env block (alongside TZ, TERM, …) and delete the per-step env sections to avoid future omissions.
@@
       env:
         TZ: ${{ vars.TZ || 'UTC' }}
         TERM: xterm-256color
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@
-      - name: Build stack
-        run: docker compose up -d
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build stack
+        run: docker compose up -d
@@
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
.vortex/tests/bats/fixtures/docker-compose.env_mod.json (2)
9-14: Same compatibility caveat as in the other fixture

See previous comment about verifying Compose support for the environment field in secrets.

133-138: Mirror the explicit target suggestion

Replicate the explicit target attribute here to keep all fixtures consistent.
 "secrets": [
   {
-    "source": "github_token"
+    "source": "github_token",
+    "target": "github_token"
   }
 ]

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 494f23d and 3006705.

⛔ Files ignored due to path filters (16)

.vortex/installer/tests/Fixtures/install/_baseline/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_type_none_gha/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_acquia/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_lagoon/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/names/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_database_lagoon/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_clamav/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_solr/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_valkey/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_none/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_absent/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_absent/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_custom/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (7)

.docker/cli.dockerfile (2 hunks)
.github/workflows/build-test-deploy.yml (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env_local.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env_mod.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.noenv.json (2 hunks)
docker-compose.yml (2 hunks)

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.github/workflows/build-test-deploy.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

docker-compose.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.github/workflows/build-test-deploy.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

docker-compose.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.docker/cli.dockerfile (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

GitHub Check: build (0)
GitHub Check: build (1)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-deployment (0)
GitHub Check: vortex-test-deployment (1)
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-installer (8.2)
GitHub Check: vortex-test-docs

🔇 Additional comments (5)

docker-compose.yml (2)

102-104: Double-check Compose/Engine compatibility for build.secrets

build.secrets requires Docker Engine ≥ 23.0 and Compose v2.20+.
Make sure CI and local dev boxes run versions that honour this key; otherwise the token won’t reach BuildKit.

275-278: Good move to top-level secret block – LGTM

.vortex/tests/bats/fixtures/docker-compose.noenv.json (1)

9-14: Fixture stays in sync – nice

.vortex/tests/bats/fixtures/docker-compose.env.json (1)

9-14: Fixture updated correctly

.vortex/tests/bats/fixtures/docker-compose.env_local.json (1)

9-14: Ensure the CI/Compose runtime supports environment-backed secrets

The environment key for secrets is only recognised by recent Compose/Buildx releases (≈ v2.22+). Older versions will silently ignore the secret and your build will fall back to an unauthenticated Composer install.

Please confirm the Docker/Compose version used in CI and local development, or provide a fallback (e.g. file-based secret) to avoid breaking older environments.

coderabbitai · 2025-07-23T01:17:58Z

.vortex/tests/bats/fixtures/docker-compose.env_local.json

+                "dockerfile": ".docker/cli.dockerfile",
+                "secrets": [
+                    {
+                        "source": "github_token"
+                    }
+                ]


🧹 Nitpick (assertive)

Add an explicit target for the build secret to lock the mount path

Relying on the implicit /run/secrets/<source> mount works, but being explicit guards against future Compose/BuildKit changes and makes the intent crystal-clear.

"secrets": [ { - "source": "github_token" + "source": "github_token", + "target": "github_token" } ]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"dockerfile": ".docker/cli.dockerfile",

"secrets": [

{

"source": "github_token"

}

]

"dockerfile": ".docker/cli.dockerfile",

"secrets": [

{

- "source": "github_token"

+ "source": "github_token",

+ "target": "github_token"

}

]

🤖 Prompt for AI Agents

In .vortex/tests/bats/fixtures/docker-compose.env_local.json around lines 133 to 138, the build secret definition lacks an explicit "target" field specifying the mount path. To fix this, add a "target" property to the secret object with the explicit path where the secret should be mounted, such as "/run/secrets/github_token", to ensure clarity and prevent issues from future Compose or BuildKit changes.

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (2)

.vortex/tests/bats/fixtures/docker-compose.env_local.json (1)

133-138: Add an explicit target to lock the mount path

Same remark as in previous iterations: being explicit guards against future Compose / BuildKit quirks and makes the intent obvious.

                 "secrets": [
                     {
-                        "source": "github_token"
+                        "source": "github_token",
+                        "target": "github_token"
                     }
                 ]

.vortex/tests/bats/fixtures/docker-compose.env.json (1)

133-138: Repeat: specify target for the build secret

For completeness, mirror the change suggested in the other fixture:

                 "secrets": [
                     {
-                        "source": "github_token"
+                        "source": "github_token",
+                        "target": "github_token"
                     }
                 ]

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3006705 and 08f7a26.

⛔ Files ignored due to path filters (16)

.vortex/installer/tests/Fixtures/install/_baseline/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_type_none_gha/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_acquia/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_lagoon/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/names/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_database_lagoon/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_clamav/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_solr/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_valkey/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_none/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_absent/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_absent/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_custom/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (7)

.docker/cli.dockerfile (1 hunks)
.github/workflows/build-test-deploy.yml (1 hunks)
.vortex/tests/bats/fixtures/docker-compose.env.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env_local.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env_mod.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.noenv.json (2 hunks)
docker-compose.yml (2 hunks)

🧠 Learnings (8)

📓 Common learnings

Learnt from: AlexSkrypnyk
PR: drevops/vortex#1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.docker/cli.dockerfile (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.env_local.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/build-test-deploy.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.noenv.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

docker-compose.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.env_mod.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

🧰 Additional context used

🧠 Learnings (8)

📓 Common learnings

Learnt from: AlexSkrypnyk
PR: drevops/vortex#1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.docker/cli.dockerfile (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.env_local.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/build-test-deploy.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.noenv.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

docker-compose.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.env_mod.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.945Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

GitHub Check: build (1)
GitHub Check: build (0)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-deployment (0)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-deployment (1)
GitHub Check: vortex-test-installer (8.2)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-docs

🔇 Additional comments (8)

docker-compose.yml (2)

101-104: Build-time secret correctly attached

The cli.build.secrets stanza is the right way to feed the token only at build time – nice.

275-278: Top-level secret definition looks good

Mapping the secret from the env keeps local workflows simple while preventing it from ending up in image layers.

.vortex/tests/bats/fixtures/docker-compose.noenv.json (2)

9-14: Fixtures updated to match new secret model

The added github_token secret mirrors production config – keeps tests relevant.

133-138: CLI fixture consumes the secret correctly

build.secrets reference ensures parity with the main compose file.

.vortex/tests/bats/fixtures/docker-compose.env_mod.json (2)

9-14: Secret wiring mirrors other fixtures

Consistent secret definition across fixtures – good.

133-138: cli service now uses the secret

Keeps the Matrix fixture in sync with real builds.

.vortex/tests/bats/fixtures/docker-compose.env_local.json (1)

9-14: GitHub token secret is correctly promoted to a Docker secret

Mapping the secret to an environment variable keeps local workflows simple while removing it from the build args – nice.

.vortex/tests/bats/fixtures/docker-compose.env.json (1)

9-14: Secret definition LGTM

Consistently introduces github_token across fixtures – great for parity with the main compose file.

coderabbitai · 2025-07-23T01:27:13Z

.docker/cli.dockerfile

+# Install PHP dependencies without development packages to avoid exposing
+# potential security vulnerabilities in the production environment.
+# hadolint ignore=SC2155
+RUN --mount=type=secret,id=github_token \
+    if [ -s /run/secrets/github_token ]; then export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"$(cat /run/secrets/github_token)\"}}"; fi && \
    COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader


🧹 Nitpick (assertive)

Prefer in-memory secret and add explicit BuildKit frontend header

export COMPOSER_AUTH=… leaves the token in the shell env for the remainder of the layer.
Inline it for the Composer process only to reduce exposure surface.

--mount=type=secret relies on the BuildKit frontend ≥ 1.2; add # syntax=docker/dockerfile:1.6 at the very top so older builders don’t silently fall back to the legacy frontend.

+# syntax=docker/dockerfile:1.6 … -RUN --mount=type=secret,id=github_token \ - if [ -s /run/secrets/github_token ]; then export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"$(cat /run/secrets/github_token)\"}}"; fi && \ +RUN --mount=type=secret,id=github_token \ + if [ -s /run/secrets/github_token ]; then \ + # shellcheck disable=SC2155 + COMPOSER_AUTH="$(jq -cn --arg tok "$(cat /run/secrets/github_token)" \ + '{"github-oauth": {"github.com": $tok}}')" \ + fi && \ COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader

(jq is already available in the base Alpine image.)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

# Install PHP dependencies without development packages to avoid exposing

# potential security vulnerabilities in the production environment.

# hadolint ignore=SC2155

RUN --mount=type=secret,id=github_token \

if [ -s /run/secrets/github_token ]; then export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"$(cat /run/secrets/github_token)\"}}"; fi && \

COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader

# syntax=docker/dockerfile:1.6

# Install PHP dependencies without development packages to avoid exposing

# potential security vulnerabilities in the production environment.

# hadolint ignore=SC2155

RUN --mount=type=secret,id=github_token \

if [ -s /run/secrets/github_token ]; then \

# shellcheck disable=SC2155

COMPOSER_AUTH="$(jq -cn --arg tok "$(cat /run/secrets/github_token)" \

'{"github-oauth": {"github.com": $tok}}')" \

fi && \

COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader

🤖 Prompt for AI Agents

In .docker/cli.dockerfile around lines 72 to 77, avoid exporting the GitHub token as an environment variable to reduce exposure by inlining the COMPOSER_AUTH value directly in the composer command. Also, add the line "# syntax=docker/dockerfile:1.6" at the very top of the Dockerfile to ensure BuildKit frontend version 1.6 or higher is used, preventing fallback to legacy frontends. Use jq to inline the token securely within the composer command without persisting it in the shell environment.

coderabbitai · 2025-07-23T01:27:13Z

.github/workflows/build-test-deploy.yml

      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        VORTEX_CONTAINER_REGISTRY_USER: ${{ secrets.VORTEX_CONTAINER_REGISTRY_USER }}
+        VORTEX_CONTAINER_REGISTRY_PASS: ${{ secrets.VORTEX_CONTAINER_REGISTRY_PASS }}


⚠️ Potential issue

👍 Secret grouping looks good — but Composer token isn’t expanded during install

The env-block re-ordering is clearer.
However, the install step later in the job still wraps the JSON in single quotes, so ${GITHUB_TOKEN-} never expands and Composer runs unauthenticated.

# current (no expansion) export COMPOSER_AUTH='{"github-oauth": {"github.com": "${GITHUB_TOKEN-}"}}' # fix export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"${GITHUB_TOKEN}\"}}"

Consider applying the same in-memory trick suggested for the Dockerfile (jq …) to keep the token off the process table.

🤖 Prompt for AI Agents

In .github/workflows/build-test-deploy.yml around lines 171 to 174, the COMPOSER_AUTH environment variable is set using single quotes which prevents the GITHUB_TOKEN from expanding, causing Composer to run unauthenticated. To fix this, change the export command to use double quotes with escaped inner quotes so that the GITHUB_TOKEN variable expands properly. Additionally, consider using a method like jq to inject the token securely in-memory to avoid exposing it on the process table.

coderabbitai

Actionable comments posted: 5

🔭 Outside diff range comments (1)

.ahoy.yml (1)
94-97: PACKAGE_TOKEN is not forwarded to the container

The env-filter still whitelists GITHUB_ but not PACKAGE_, so PACKAGE_TOKEN will be stripped when docker compose exec is invoked via Ahoy. Composer commands inside the container will therefore not see the token.
-        docker compose exec $(env | cut -f1 -d= | grep "TERM\|COMPOSE_\|GITHUB_\|DOCKER_\|DRUPAL_\|VORTEX_" | sed 's/^/-e /') cli bash -c "$*"
+        docker compose exec $(env | cut -f1 -d= | grep "TERM\|COMPOSE_\|PACKAGE_\|DOCKER_\|DRUPAL_\|VORTEX_" | sed 's/^/-e /') cli bash -c "$*"
(Repeat the same change two lines below.)

♻️ Duplicate comments (2)

.github/workflows/vortex-test-common.yml (2)

112-120: Repeat secret-name verification for matrix job

Same concern for the vortex-test-workflow job.

171-179: Repeat secret-name verification for deployment job

Same concern for the vortex-test-deployment job.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 08f7a26 and 1371c23.

⛔ Files ignored due to path filters (32)

.vortex/installer/tests/Fixtures/install/_baseline/.ahoy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/.env.local is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/.env.local.example is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/ciprovider_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/db_download_source_container_registry/.env.local is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/db_download_source_container_registry/.env.local.example is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/db_download_source_ftp/.env.local is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/db_download_source_ftp/.env.local.example is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_type_all_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_type_none_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_type_none_gha/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deps_updates_provider_ci_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_acquia/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_acquia/.env.local is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_acquia/.env.local.example is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_lagoon/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_database_lagoon/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.env.local is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.env.local.example is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_clamav/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_solr/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_valkey/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_none/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_absent/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_absent/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/timezone_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/version_replacement/baseline/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/version_replacement/expected/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (21)

.ahoy.yml (1 hunks)
.circleci/config.yml (1 hunks)
.docker/cli.dockerfile (2 hunks)
.env.local.example (1 hunks)
.github/workflows/build-test-deploy.yml (3 hunks)
.github/workflows/vortex-test-common.yml (3 hunks)
.vortex/docs/.utils/variables/variables.excluded.txt (1 hunks)
.vortex/docs/content/contributing/maintenance/scripts.mdx (1 hunks)
.vortex/docs/content/contributing/maintenance/tests.mdx (2 hunks)
.vortex/docs/content/workflows/variables.mdx (1 hunks)
.vortex/installer/src/Prompts/Handlers/Internal.php (1 hunks)
.vortex/tests/README.md (1 hunks)
.vortex/tests/bats/_helper.bash (1 hunks)
.vortex/tests/bats/e2e/docker-compose.bats (1 hunks)
.vortex/tests/bats/fixtures/docker-compose.env.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env_local.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env_mod.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.noenv.json (2 hunks)
.vortex/tests/phpunit/Functional/WorkflowTest.php (2 hunks)
composer.json (2 hunks)
docker-compose.yml (2 hunks)

🧠 Learnings (22)

📓 Common learnings

Learnt from: AlexSkrypnyk
PR: drevops/vortex#1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/docs/.utils/variables/variables.excluded.txt (3)

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: AlexSkrypnyk
PR: #1697
File: .vortex/installer/tests/Fixtures/install/provision_database_lagoon/docs/onboarding.md:16-17
Timestamp: 2025-06-02T00:41:36.321Z
Learning: DO NOT EVER REVIEW FILES IN .vortex/installer/tests/Fixtures/ directory - these are test fixtures and should not be reviewed under any circumstances.

.vortex/docs/content/contributing/maintenance/scripts.mdx (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/docs/content/contributing/maintenance/tests.mdx (3)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

Learnt from: AlexSkrypnyk
PR: #1697
File: .vortex/installer/tests/Fixtures/install/provision_database_lagoon/docs/onboarding.md:16-17
Timestamp: 2025-06-02T00:41:36.321Z
Learning: DO NOT EVER REVIEW FILES IN .vortex/installer/tests/Fixtures/ directory - these are test fixtures and should not be reviewed under any circumstances.

.ahoy.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.vortex/tests/README.md (3)

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

Learnt from: AlexSkrypnyk
PR: #1697
File: .vortex/installer/tests/Fixtures/install/provision_database_lagoon/docs/onboarding.md:16-17
Timestamp: 2025-06-02T00:41:36.321Z
Learning: DO NOT EVER REVIEW FILES IN .vortex/installer/tests/Fixtures/ directory - these are test fixtures and should not be reviewed under any circumstances.

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/vortex-test-common.yml (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.circleci/config.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.vortex/installer/src/Prompts/Handlers/Internal.php (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.env.local.example (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

composer.json (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.docker/cli.dockerfile (3)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.noenv.json (3)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

Learnt from: AlexSkrypnyk
PR: #1697
File: .vortex/installer/tests/Fixtures/install/provision_database_lagoon/docs/onboarding.md:16-17
Timestamp: 2025-06-02T00:41:36.321Z
Learning: DO NOT EVER REVIEW FILES IN .vortex/installer/tests/Fixtures/ directory - these are test fixtures and should not be reviewed under any circumstances.

.github/workflows/build-test-deploy.yml (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env_local.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/docs/content/workflows/variables.mdx (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/phpunit/Functional/WorkflowTest.php (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

docker-compose.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.env_mod.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/_helper.bash (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/e2e/docker-compose.bats (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

🧬 Code Graph Analysis (1)

.vortex/tests/phpunit/Functional/WorkflowTest.php (2)

.vortex/tests/phpunit/Traits/LoggerTrait.php (1)

logSubstep (30-32)

.vortex/tests/phpunit/Traits/Steps/StepBuildTrait.php (2)

stepBuildFailure (65-81)

stepBuild (16-63)

🧰 Additional context used

🧠 Learnings (22)

📓 Common learnings

Learnt from: AlexSkrypnyk
PR: drevops/vortex#1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/docs/.utils/variables/variables.excluded.txt (3)

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: AlexSkrypnyk
PR: #1697
File: .vortex/installer/tests/Fixtures/install/provision_database_lagoon/docs/onboarding.md:16-17
Timestamp: 2025-06-02T00:41:36.321Z
Learning: DO NOT EVER REVIEW FILES IN .vortex/installer/tests/Fixtures/ directory - these are test fixtures and should not be reviewed under any circumstances.

.vortex/docs/content/contributing/maintenance/scripts.mdx (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/docs/content/contributing/maintenance/tests.mdx (3)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

Learnt from: AlexSkrypnyk
PR: #1697
File: .vortex/installer/tests/Fixtures/install/provision_database_lagoon/docs/onboarding.md:16-17
Timestamp: 2025-06-02T00:41:36.321Z
Learning: DO NOT EVER REVIEW FILES IN .vortex/installer/tests/Fixtures/ directory - these are test fixtures and should not be reviewed under any circumstances.

.ahoy.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.vortex/tests/README.md (3)

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

Learnt from: AlexSkrypnyk
PR: #1697
File: .vortex/installer/tests/Fixtures/install/provision_database_lagoon/docs/onboarding.md:16-17
Timestamp: 2025-06-02T00:41:36.321Z
Learning: DO NOT EVER REVIEW FILES IN .vortex/installer/tests/Fixtures/ directory - these are test fixtures and should not be reviewed under any circumstances.

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/vortex-test-common.yml (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.circleci/config.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.vortex/installer/src/Prompts/Handlers/Internal.php (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.env.local.example (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

composer.json (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.docker/cli.dockerfile (3)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.noenv.json (3)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

Learnt from: AlexSkrypnyk
PR: #1697
File: .vortex/installer/tests/Fixtures/install/provision_database_lagoon/docs/onboarding.md:16-17
Timestamp: 2025-06-02T00:41:36.321Z
Learning: DO NOT EVER REVIEW FILES IN .vortex/installer/tests/Fixtures/ directory - these are test fixtures and should not be reviewed under any circumstances.

.github/workflows/build-test-deploy.yml (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env_local.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/docs/content/workflows/variables.mdx (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/phpunit/Functional/WorkflowTest.php (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

docker-compose.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.env_mod.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/_helper.bash (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/e2e/docker-compose.bats (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

🧬 Code Graph Analysis (1)

.vortex/tests/phpunit/Functional/WorkflowTest.php (2)

.vortex/tests/phpunit/Traits/LoggerTrait.php (1)

logSubstep (30-32)

.vortex/tests/phpunit/Traits/Steps/StepBuildTrait.php (2)

stepBuildFailure (65-81)

stepBuild (16-63)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

GitHub Check: vortex-test-docs

🔇 Additional comments (29)

.vortex/docs/.utils/variables/variables.excluded.txt (1)

8-8: LGTM: Consistent token variable renaming

The change from TEST_GITHUB_TOKEN to TEST_PACKAGE_TOKEN aligns with the broader refactoring to standardize token naming across the project.

.vortex/tests/bats/e2e/docker-compose.bats (1)

99-99: LGTM: Consistent test environment cleanup

The change from unset GITHUB_TOKEN to unset PACKAGE_TOKEN correctly updates the test preparation to use the new token variable name, ensuring consistent test environment setup.

.vortex/docs/content/contributing/maintenance/scripts.mdx (1)

65-65: LGTM: Documentation updated to reflect new token naming

The example variable has been correctly updated from GITHUB_TOKEN to PACKAGE_TOKEN to align with the project's token renaming convention while maintaining the same documentation intent.

.vortex/tests/README.md (1)

92-92: LGTM: Environment variable documentation updated

The variable name has been correctly updated from TEST_GITHUB_TOKEN to TEST_PACKAGE_TOKEN to align with the project's token renaming convention.

.vortex/docs/content/contributing/maintenance/tests.mdx (2)

22-22: LGTM: Test command example updated with new token variable

The command example has been correctly updated to use TEST_PACKAGE_TOKEN instead of TEST_GITHUB_TOKEN, ensuring the documentation remains accurate with the codebase changes.

32-32: LGTM: Multi-line command example updated consistently

The multi-line command example has been correctly updated to use TEST_PACKAGE_TOKEN, maintaining consistency with the token renaming across all documentation examples.

.github/workflows/vortex-test-common.yml (1)

24-31: Verify new secret is configured in repo settings

TEST_PACKAGE_TOKEN must exist in the repository / org secrets or these jobs will fail at runtime.
Please double-check that TEST_PACKAGE_TOKEN has been added before merging.

docker-compose.yml (1)

276-279: Secret definition LGTM

Secret is sourced from the env var and not marked required, matching project guidance.

.circleci/config.yml (1)

267-267: LGTM: Token environment variable updated consistently

The change from GITHUB_TOKEN to PACKAGE_TOKEN in the Composer authentication setup aligns with the broader effort to rename the token environment variable across the codebase.

.github/workflows/build-test-deploy.yml (3)

62-64: LGTM: Container environment updated for token renaming

The environment variables in the database job's container configuration have been properly updated to use PACKAGE_TOKEN instead of GITHUB_TOKEN, maintaining consistency with the broader token renaming effort.

172-174: LGTM: Build job environment updated consistently

The build job's container environment has been properly updated to use PACKAGE_TOKEN, ensuring consistency across all jobs in the workflow.

255-255: LGTM: Composer authentication updated for token renaming

The Composer authentication setup has been correctly updated to use PACKAGE_TOKEN instead of GITHUB_TOKEN, maintaining the same conditional logic while using the renamed environment variable.

composer.json (2)

10-10: LGTM: Private package added for authentication testing

The addition of drevops/generic-private-package provides a test case for private package authentication using the new PACKAGE_TOKEN mechanism, which is essential for validating the token masking functionality.

62-65: LGTM: VCS repository added for private package

The VCS repository configuration for the private package is correctly set up to enable Composer to fetch from the GitHub repository using the authenticated token.

.vortex/tests/phpunit/Functional/WorkflowTest.php (2)

56-61: LGTM: Test updated for token renaming

The test has been correctly updated to use TEST_PACKAGE_TOKEN instead of TEST_GITHUB_TOKEN, maintaining the same test logic while aligning with the broader token renaming effort.

72-76: LGTM: Environment variable usage updated consistently

The test steps have been properly updated to use PACKAGE_TOKEN instead of GITHUB_TOKEN, ensuring the test validates the new token mechanism.

.vortex/tests/bats/fixtures/docker-compose.noenv.json (3)

9-14: LGTM: Docker secrets configuration added

The top-level secrets section correctly defines the package_token secret that maps the PACKAGE_TOKEN environment variable, following Docker Compose secrets best practices.

129-129: LGTM: Build argument updated for token renaming

The build argument has been correctly updated from GITHUB_TOKEN to PACKAGE_TOKEN to align with the token renaming effort.

135-139: LGTM: Build secrets configuration added

The secrets array in the CLI service build configuration correctly references the package_token secret, enabling secure token injection during the build process using Docker BuildKit secrets.

.vortex/installer/src/Prompts/Handlers/Internal.php (1)

94-112: LGTM! Clean implementation of private package removal.

The logic correctly handles composer.json cleanup by:

Safely checking file existence and JSON validity

Removing the specific private package dependency

Filtering out related repository entries

Maintaining proper JSON formatting with pretty print

This cleanup step appropriately removes internal development dependencies from the final installer output.

.vortex/tests/bats/fixtures/docker-compose.env.json (2)

9-14: LGTM! Proper secrets configuration added.

The secrets section correctly defines the package_token secret with appropriate environment variable mapping.

129-139: LGTM! Consistent migration from GITHUB_TOKEN to PACKAGE_TOKEN.

The build configuration properly:

Updates the build argument to use PACKAGE_TOKEN

References the package_token secret for secure token handling

Maintains consistency with the Docker secrets approach

.docker/cli.dockerfile (2)

22-23: LGTM! Consistent token variable renaming.

The build arguments properly migrate from GITHUB_TOKEN to PACKAGE_TOKEN.

77-80: LGTM! Proper Docker secrets implementation with fallback support.

The implementation correctly:

Uses Docker BuildKit secrets mounting for secure token handling

Provides fallback to environment variable when secret is unavailable

Allows unauthenticated installs when no token is present (aligns with project requirements)

Sets COMPOSER_AUTH appropriately for GitHub OAuth

This approach properly balances security with the flexibility needed for unauthenticated builds.

.vortex/tests/bats/fixtures/docker-compose.env_local.json (2)

9-14: LGTM! Consistent secrets configuration.

The secrets section is properly configured with the package_token definition.

129-139: LGTM! Proper token migration and secrets integration.

The CLI service build configuration correctly updates to use PACKAGE_TOKEN and integrates the package_token secret for secure token handling.

.vortex/tests/bats/fixtures/docker-compose.env_mod.json (2)

9-14: LGTM! Consistent secrets configuration with project-specific naming.

The secrets section properly defines the package_token secret with the project-specific name the_matrix_package_token.

129-139: LGTM! Consistent token migration across test fixtures.

The build configuration maintains consistency with other fixtures by properly migrating to PACKAGE_TOKEN and integrating Docker secrets for secure token handling.

.vortex/docs/content/workflows/variables.mdx (1)

297-304: Cross-reference still points to ${GITHUB_TOKEN} elsewhere.

You introduced PACKAGE_TOKEN here but .mdx later (see lines 1298-1306) still declares
VORTEX_NOTIFY_GITHUB_TOKEN with a default of ${GITHUB_TOKEN}.
If the intention is to drop/rename the original var, either update that default or keep the
GITHUB_TOKEN entry in this list; otherwise you’ll document a variable users can’t set.

coderabbitai · 2025-07-23T11:40:49Z

.ahoy.yml

    cmd: |
      ahoy cli " \
-        if [ -n \"${GITHUB_TOKEN:-}\" ]; then export COMPOSER_AUTH='{\"github-oauth\": {\"github.com\": \"${GITHUB_TOKEN-}\"}}'; fi && \
+        if [ -n \"${PACKAGE_TOKEN:-}\" ]; then export COMPOSER_AUTH='{\"github-oauth\": {\"github.com\": \"${PACKAGE_TOKEN-}\"}}'; fi && \
        COMPOSER_MEMORY_LIMIT=-1 composer --ansi $@"


🧹 Nitpick (assertive)

Minor shell-parameter typo

${PACKAGE_TOKEN-} works but ${PACKAGE_TOKEN:-} is clearer and consistent with earlier code.

- if [ -n \"${PACKAGE_TOKEN:-}\" ]; then export COMPOSER_AUTH='{\"github-oauth\": {\"github.com\": \"${PACKAGE_TOKEN-}\"}}'; fi && \ + if [ -n \"${PACKAGE_TOKEN:-}\" ]; then export COMPOSER_AUTH='{\"github-oauth\": {\"github.com\": \"${PACKAGE_TOKEN:-}\"}}'; fi && \

🤖 Prompt for AI Agents

In .ahoy.yml around lines 101 to 104, replace the shell parameter `${PACKAGE_TOKEN-}` with `${PACKAGE_TOKEN:-}` to maintain clarity and consistency with the earlier code usage. This involves updating the string inside the export command to use the clearer `${PACKAGE_TOKEN:-}` syntax.

coderabbitai · 2025-07-23T11:40:49Z

.env.local.example

 # GitHub token used to overcome API rate limits or access private repositories.
 # @see https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
-GITHUB_TOKEN=
+PACKAGE_TOKEN=


🧹 Nitpick (assertive)

Update comment to match renamed variable

The explanatory comment still calls this a “GitHub token”, which will confuse readers now that the variable is PACKAGE_TOKEN.
Consider re-wording to something like “Token used for authenticated package downloads”.

🤖 Prompt for AI Agents

In .env.local.example around lines 69 to 71, update the comment above the PACKAGE_TOKEN variable to reflect its purpose accurately. Replace the phrase "GitHub token" with a description like "Token used for authenticated package downloads" to avoid confusion and align the comment with the renamed variable.

coderabbitai · 2025-07-23T11:40:50Z

.vortex/tests/bats/_helper.bash

  # Override real secrets with test secrets.
  # For the development of the tests locally, export `TEST_` variables in your
  # shell before running the tests.
-  export GITHUB_TOKEN="${TEST_GITHUB_TOKEN:-}"
+  export PACKAGE_TOKEN="${TEST_PACKAGE_TOKEN:-}"
  export VORTEX_CONTAINER_REGISTRY_USER="${TEST_VORTEX_CONTAINER_REGISTRY_USER:-}"
  export VORTEX_CONTAINER_REGISTRY_PASS="${TEST_VORTEX_CONTAINER_REGISTRY_PASS:-}"


🛠️ Refactor suggestion

Only export PACKAGE_TOKEN when a test value is provided

Exporting an empty string overwrites any real token that might already be present (e.g. when running the suite in CI).

- export PACKAGE_TOKEN="${TEST_PACKAGE_TOKEN:-}" +if [ -n "${TEST_PACKAGE_TOKEN:-}" ]; then + export PACKAGE_TOKEN="${TEST_PACKAGE_TOKEN}" +fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

# Override real secrets with test secrets.

# For the development of the tests locally, export `TEST_` variables in your

# shell before running the tests.

export GITHUB_TOKEN="${TEST_GITHUB_TOKEN:-}"

export PACKAGE_TOKEN="${TEST_PACKAGE_TOKEN:-}"

export VORTEX_CONTAINER_REGISTRY_USER="${TEST_VORTEX_CONTAINER_REGISTRY_USER:-}"

export VORTEX_CONTAINER_REGISTRY_PASS="${TEST_VORTEX_CONTAINER_REGISTRY_PASS:-}"

# Override real secrets with test secrets.

# For the development of the tests locally, export `TEST_` variables in your

# shell before running the tests.

if [ -n "${TEST_PACKAGE_TOKEN:-}" ]; then

export PACKAGE_TOKEN="${TEST_PACKAGE_TOKEN}"

fi

export VORTEX_CONTAINER_REGISTRY_USER="${TEST_VORTEX_CONTAINER_REGISTRY_USER:-}"

export VORTEX_CONTAINER_REGISTRY_PASS="${TEST_VORTEX_CONTAINER_REGISTRY_PASS:-}"

🤖 Prompt for AI Agents

In .vortex/tests/bats/_helper.bash around lines 58 to 63, the script exports PACKAGE_TOKEN even when TEST_PACKAGE_TOKEN is empty, which can overwrite a real token. Modify the code to export PACKAGE_TOKEN only if TEST_PACKAGE_TOKEN is set and non-empty, preventing overwriting existing valid tokens with empty values.

coderabbitai · 2025-07-23T11:40:50Z

.vortex/tests/phpunit/Functional/WorkflowTest.php

+   * Make sure to run with TEST_PACKAGE_TOKEN=working_test_token or this test
   * will fail.
   */
  public function testGitHubToken(): void {


🧹 Nitpick (assertive)

Consider renaming the test method

While the functionality is correct, the method name testGitHubToken() might be confusing since it now tests PACKAGE_TOKEN. Consider renaming it to testPackageToken() or testPrivatePackageAuthentication() for clarity.

- public function testGitHubToken(): void { + public function testPackageToken(): void {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

public function testGitHubToken(): void {

public function testPackageToken(): void {

🤖 Prompt for AI Agents

In .vortex/tests/phpunit/Functional/WorkflowTest.php at line 59, rename the test method from testGitHubToken() to a more descriptive name like testPackageToken() or testPrivatePackageAuthentication() to better reflect that it tests PACKAGE_TOKEN rather than a GitHub token, improving clarity and maintainability.

coderabbitai · 2025-07-23T11:40:50Z

docker-compose.yml

      args:
        WEBROOT: "${WEBROOT:-web}"
-        GITHUB_TOKEN: "${GITHUB_TOKEN:-}"
+        PACKAGE_TOKEN: "${PACKAGE_TOKEN:-}"
        DRUPAL_PUBLIC_FILES: ${DRUPAL_PUBLIC_FILES:-sites/default/files}
        DRUPAL_PRIVATE_FILES: ${DRUPAL_PRIVATE_FILES:-sites/default/files/private}
        DRUPAL_TEMPORARY_FILES: ${DRUPAL_TEMPORARY_FILES:-/tmp}
        DRUPAL_THEME: ${DRUPAL_THEME:-}
        VORTEX_FRONTEND_BUILD_SKIP: ${VORTEX_FRONTEND_BUILD_SKIP:-}
+      secrets:
+        - package_token
    image: &cli-image ${COMPOSE_PROJECT_NAME:-example_site}


🛠️ Refactor suggestion

Passing the token as a build-arg leaks it into the build cache

PACKAGE_TOKEN is now provided as a BuildKit secret. Keeping it as a build argument defeats the purpose and may expose the value in intermediate layers or image history.

- PACKAGE_TOKEN: "${PACKAGE_TOKEN:-}"

Remove the line above and rely solely on the secrets: entry. Make sure .docker/cli.dockerfile no longer references the ARG.

🤖 Prompt for AI Agents

In docker-compose.yml around lines 95 to 105, the PACKAGE_TOKEN is passed both as a build argument and as a secret, which risks leaking the token in the build cache. Remove the PACKAGE_TOKEN line from the args section to avoid passing it as a build argument. Then, update the .docker/cli.dockerfile to remove any ARG PACKAGE_TOKEN references and instead access the token exclusively via the BuildKit secret mechanism defined in the secrets section.

coderabbitai

Actionable comments posted: 3

🔭 Outside diff range comments (2)

.docker/cli.dockerfile (1)
22-24: PACKAGE_TOKEN still baked into the final image – leaks the secret at runtime

Declaring both ARG PACKAGE_TOKEN and ENV PACKAGE_TOKEN=${PACKAGE_TOKEN} means:

The token supplied via --build-arg ends up in an image layer and is retrievable with docker history or by inspecting the running container’s env.

It defeats the purpose of moving to BuildKit secrets.

Unless the token must be available inside the running container (which the current CLI image rarely needs), drop these lines and rely solely on the BuildKit secret.
If it is required at runtime, consider an entry-point script that reads /run/secrets/package_token instead of storing the value in the image.
-ARG PACKAGE_TOKEN=""
-ENV PACKAGE_TOKEN=${PACKAGE_TOKEN}
docker-compose.yml (1)
95-104: Duplicate token path – passing it as both build-arg & secret increases exposure

PACKAGE_TOKEN is now provided as a BuildKit secret. Leaving it in args
re-introduces the secret into the image build cache and the final env.
         WEBROOT: "${WEBROOT:-web}"
-        PACKAGE_TOKEN: "${PACKAGE_TOKEN:-}"
         DRUPAL_PUBLIC_FILES: ${DRUPAL_PUBLIC_FILES:-sites/default/files}
         ...
       secrets:
         - package_token
Drop the build arg (and the corresponding ARG/ENV in the Dockerfile – see
previous comment) to keep the token confined to the secret mount.

♻️ Duplicate comments (2)

.vortex/tests/bats/fixtures/docker-compose.noenv.json (1)

123-140: Fixture still ships the token as a build argument – mirrors the leakage

Same leakage concern as in docker-compose.yml. The fixture should drop
PACKAGE_TOKEN from build.args now that a secret is defined.
.github/workflows/build-test-deploy.yml (1)
254-256: Composer token still not expanded – quoting prevents variable interpolation

The single-quoted JSON blocks the ${PACKAGE_TOKEN} expansion, so Composer continues to run unauthenticated (same issue flagged earlier).
- if [ -n \"${PACKAGE_TOKEN:-}\" ]; then export COMPOSER_AUTH='{\"github-oauth\": {\"github.com\": \"${PACKAGE_TOKEN-}\"}}'; fi &&
+ if [ -n \"${PACKAGE_TOKEN:-}\" ]; then export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"${PACKAGE_TOKEN}\"}}"; fi &&

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1371c23 and f66048f.

⛔ Files ignored due to path filters (13)

.vortex/installer/tests/Fixtures/install/_baseline/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_type_none_gha/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_lagoon/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_database_lagoon/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_clamav/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_solr/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_no_valkey/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/services_none/docker-compose.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_absent/.docker/cli.dockerfile is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_absent/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (7)

.docker/cli.dockerfile (1 hunks)
.github/workflows/build-test-deploy.yml (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env_local.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.env_mod.json (2 hunks)
.vortex/tests/bats/fixtures/docker-compose.noenv.json (2 hunks)
docker-compose.yml (2 hunks)

🧠 Learnings (8)

📓 Common learnings

Learnt from: AlexSkrypnyk
PR: drevops/vortex#1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

docker-compose.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.docker/cli.dockerfile (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.env_local.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.noenv.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env_mod.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/build-test-deploy.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

🧰 Additional context used

🧠 Learnings (8)

📓 Common learnings

Learnt from: AlexSkrypnyk
PR: drevops/vortex#1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

docker-compose.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.docker/cli.dockerfile (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.vortex/tests/bats/fixtures/docker-compose.env_local.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.noenv.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.vortex/tests/bats/fixtures/docker-compose.env_mod.json (1)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/build-test-deploy.yml (2)

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

GitHub Check: build (1)
GitHub Check: build (0)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-deployment (1)
GitHub Check: vortex-test-deployment (0)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-workflow (2)

🔇 Additional comments (3)

.docker/cli.dockerfile (1)

74-80: Token is still exported & lingers in the layer – inline it, then wipe

export COMPOSER_AUTH=… keeps the token in the shell environment for every
sub-command that follows in this layer (and shows up in ps output during the
build). Inline it for Composer only, and explicitly unset afterwards:
 RUN --mount=type=secret,id=package_token \
   token=$(if [ -s /run/secrets/package_token ]; then cat /run/secrets/package_token; else echo "${PACKAGE_TOKEN}"; fi) && \
-  if [ -n "${token}" ]; then export COMPOSER_AUTH="{\"github-oauth\": {\"github.com\": \"${token}\"}}"; fi && \
-  COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader
+  if [ -n "${token}" ]; then \
+    COMPOSER_AUTH=$(jq -cn --arg tok "${token}" '{"github-oauth": {"github.com": $tok}}'); \
+  fi && \
+  COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader && \
+  unset COMPOSER_AUTH token
(jq is already present in the Alpine base image.)

This keeps the secret in-memory only for the Composer process.
[ suggest_essential_refactor ]
docker-compose.yml (1)

276-279: 👍 Top-level secret definition looks good

The package_token secret is correctly wired to the env variable – matches
Compose v3 syntax.

.github/workflows/build-test-deploy.yml (1)

171-174: Re-ordering looks good

Just a re-shuffle to group auth-related vars at the top. No functional impact.

coderabbitai · 2025-07-23T11:51:28Z

.github/workflows/build-test-deploy.yml

+        PACKAGE_TOKEN: ${{ secrets.PACKAGE_TOKEN }}
+        VORTEX_CONTAINER_REGISTRY_USER: ${{ secrets.VORTEX_CONTAINER_REGISTRY_USER }}
+        VORTEX_CONTAINER_REGISTRY_PASS: ${{ secrets.VORTEX_CONTAINER_REGISTRY_PASS }}


🧹 Nitpick (assertive)

Scope PACKAGE_TOKEN only to the job that needs it

database never references PACKAGE_TOKEN, yet the secret is injected into the whole container. This widens the blast-radius of the secret and violates the principle of least privilege.
Drop the variable from the database job unless you have an upcoming step that genuinely consumes it.

🤖 Prompt for AI Agents

In .github/workflows/build-test-deploy.yml around lines 62 to 64, the secret PACKAGE_TOKEN is currently injected into the entire workflow including the database job where it is not used. To follow the principle of least privilege, remove the PACKAGE_TOKEN environment variable from the database job's environment section so that only the job that actually needs it has access to this secret.

coderabbitai · 2025-07-23T11:51:29Z

.vortex/tests/bats/fixtures/docker-compose.env_local.json

+    "secrets": {
+        "package_token": {
+            "environment": "PACKAGE_TOKEN",
+            "name": "star_wars_package_token"
+        }
+    },


🧹 Nitpick (assertive)

Add explicit target for the secret to avoid implicit mount path

Being explicit makes intent clear and guards against future Compose/BuildKit defaults:

"secrets": { "package_token": { "environment": "PACKAGE_TOKEN", - "name": "star_wars_package_token" + "name": "star_wars_package_token", + "target": "package_token" } },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"secrets": {

"package_token": {

"environment": "PACKAGE_TOKEN",

"name": "star_wars_package_token"

}

},

"secrets": {

"package_token": {

"environment": "PACKAGE_TOKEN",

"name": "star_wars_package_token",

"target": "package_token"

}

},

🤖 Prompt for AI Agents

In .vortex/tests/bats/fixtures/docker-compose.env_local.json around lines 9 to 14, the secret definition for "package_token" lacks an explicit "target" field, which can lead to implicit and unclear mount paths. Add a "target" property specifying the exact mount path for the secret to make the intent explicit and prevent reliance on Compose/BuildKit defaults.

coderabbitai · 2025-07-23T11:51:29Z

.vortex/tests/bats/fixtures/docker-compose.env_local.json

+                "secrets": [
+                    {
+                        "source": "package_token"
+                    }
+                ]


🧹 Nitpick (assertive)

Consider marking the secret as non-required

If unauthenticated installs must remain possible (as per project convention), add "required": false to the secret spec so local builders without the token won’t fail.

🤖 Prompt for AI Agents

In .vortex/tests/bats/fixtures/docker-compose.env_local.json around lines 135 to 139, the secret "package_token" is currently required by default, which may cause local builds to fail if the token is missing. To allow unauthenticated installs as per project convention, add the property "required": false to the secret object to mark it as non-required and prevent build failures when the token is absent.

github-project-automation bot added this to Vortex Jul 22, 2025

github-project-automation bot moved this to BACKLOG in Vortex Jul 22, 2025

github-actions bot assigned AlexSkrypnyk Jul 22, 2025

coderabbitai bot reviewed Jul 22, 2025

View reviewed changes

.docker/cli.dockerfile Show resolved Hide resolved

.docker/cli.dockerfile Outdated Show resolved Hide resolved

AlexSkrypnyk force-pushed the feature/1601-mask-github-token branch from dae2f03 to 1c1f1ef Compare July 22, 2025 07:17

github-actions bot temporarily deployed to commit July 22, 2025 07:19 Inactive

coderabbitai bot reviewed Jul 22, 2025

View reviewed changes

.docker/cli.dockerfile Outdated Show resolved Hide resolved

github-actions bot temporarily deployed to commit July 22, 2025 08:43 Inactive

coderabbitai bot reviewed Jul 22, 2025

View reviewed changes

.github/workflows/build-test-deploy.yml Outdated Show resolved Hide resolved

github-actions bot temporarily deployed to commit July 23, 2025 00:08 Inactive

github-actions bot temporarily deployed to commit July 23, 2025 00:16 Inactive

coderabbitai bot reviewed Jul 23, 2025

View reviewed changes

.github/workflows/build-test-deploy.yml Show resolved Hide resolved

github-actions bot temporarily deployed to commit July 23, 2025 00:33 Inactive

coderabbitai bot reviewed Jul 23, 2025

View reviewed changes

github-actions bot temporarily deployed to commit July 23, 2025 00:54 Inactive

github-actions bot temporarily deployed to commit July 23, 2025 00:59 Inactive

github-actions bot temporarily deployed to commit July 23, 2025 01:05 Inactive

coderabbitai bot reviewed Jul 23, 2025

View reviewed changes

.docker/cli.dockerfile Show resolved Hide resolved

AlexSkrypnyk force-pushed the feature/1601-mask-github-token branch from 494f23d to 3006705 Compare July 23, 2025 01:13

github-actions bot temporarily deployed to commit July 23, 2025 01:15 Inactive

coderabbitai bot reviewed Jul 23, 2025

View reviewed changes

AlexSkrypnyk force-pushed the feature/1601-mask-github-token branch from 3006705 to 08f7a26 Compare July 23, 2025 01:22

github-actions bot temporarily deployed to commit July 23, 2025 01:24 Inactive

coderabbitai bot reviewed Jul 23, 2025

View reviewed changes

This was referenced Jul 23, 2025

Switched to using Docker secrets for GITHUB_TOKEN. drevops/website#72

Closed

Added private package example. #1820

Merged

github-actions bot added the CONFLICT Pull request has a conflict that needs to be resolved before it can be merged label Jul 23, 2025

AlexSkrypnyk force-pushed the feature/1601-mask-github-token branch from 08f7a26 to 1371c23 Compare July 23, 2025 11:36

AlexSkrypnyk changed the title ~~[#1601] Mask GITHUB_TOKEN during Docker build.~~ [#1601] Mask PACKAGE_TOKEN during Docker build. Jul 23, 2025

github-actions bot temporarily deployed to commit July 23, 2025 11:38 Inactive

coderabbitai bot reviewed Jul 23, 2025

View reviewed changes

AlexSkrypnyk force-pushed the feature/1601-mask-github-token branch from 1371c23 to 21428e8 Compare July 23, 2025 11:46

github-actions bot removed the CONFLICT Pull request has a conflict that needs to be resolved before it can be merged label Jul 23, 2025

[#1601] Mask PACKAGE_TOKEN during Docker build.

f66048f

AlexSkrypnyk force-pushed the feature/1601-mask-github-token branch from 21428e8 to f66048f Compare July 23, 2025 11:46

github-actions bot temporarily deployed to commit July 23, 2025 11:48 Inactive

coderabbitai bot reviewed Jul 23, 2025

View reviewed changes

AlexSkrypnyk enabled auto-merge (rebase) July 23, 2025 12:01

AlexSkrypnyk merged commit 21ccb6f into develop Jul 23, 2025
30 checks passed

AlexSkrypnyk deleted the feature/1601-mask-github-token branch July 23, 2025 12:08

github-project-automation bot moved this from BACKLOG to Release queue in Vortex Jul 23, 2025

AlexSkrypnyk moved this from Release queue to Released in 25.7.0 in Vortex Jul 26, 2025

This was referenced Jul 28, 2025

[#1868] Added support for unzipping to DB download from URL. #1869

Merged

[#1854] Show missing tools on first install. #1880

Merged

Added unit test for download-db-* scripts. #1877

Merged

	public function testGitHubToken(): void {
	public function testPackageToken(): void {

Uh oh!

[#1601] Mask PACKAGE_TOKEN during Docker build. #1816

[#1601] Mask PACKAGE_TOKEN during Docker build. #1816

Uh oh!

Conversation

AlexSkrypnyk commented Jul 22, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Jul 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Poem

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Documentation and Community

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

codecov bot commented Jul 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

[#1601] Mask `PACKAGE_TOKEN` during Docker build. #1816

[#1601] Mask `PACKAGE_TOKEN` during Docker build. #1816

AlexSkrypnyk commented Jul 22, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Jul 22, 2025 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)

codecov bot commented Jul 23, 2025 •

edited

Loading