Conversation
Backend now requires --master-secret for all auth modes except token. Hardcode a fixed CI-only value so the platforma container keeps starting.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| # Packages can be large. We don't want to save them after execution. | ||
| command: | | ||
| --auth-htpasswd="/etc/htpasswd" | ||
| --master-secret="cGxhdGZvcm1hLWNpLW1hc3Rlci1zZWNyZXQtc3RhdGljLWRvLW5vdC11c2UtaW4tcHJvZA" |
There was a problem hiding this comment.
The value cGxhdGZvcm1hLWNpLW1hc3Rlci1zZWNyZXQtc3RhdGljLWRvLW5vdC11c2UtaW4tcHJvZA decodes trivially to platforma-ci-master-secret-static-do-not-use-in-prod, so the master secret is effectively stored in plaintext in version control. While this is consistent with the other hardcoded test credentials in this file (testuser/testpassword for MinIO) and the decoded label clearly marks it CI-only, if the platforma backend accepts this value for any auth operation (even in CI), someone who forks or clones this repo gets a working secret. Consider surfacing it as a clearly named env var (e.g. ${PL_MASTER_SECRET:-platforma-ci-...}) so it follows the same pattern as other configurable values and can be overridden without a code change.
Prompt To Fix With AI
This is a comment left during a code review.
Path: actions/docker/pl-compose/docker-compose.yaml
Line: 29
Comment:
**Base64 provides no protection for the committed secret**
The value `cGxhdGZvcm1hLWNpLW1hc3Rlci1zZWNyZXQtc3RhdGljLWRvLW5vdC11c2UtaW4tcHJvZA` decodes trivially to `platforma-ci-master-secret-static-do-not-use-in-prod`, so the master secret is effectively stored in plaintext in version control. While this is consistent with the other hardcoded test credentials in this file (`testuser`/`testpassword` for MinIO) and the decoded label clearly marks it CI-only, if the platforma backend accepts this value for any auth operation (even in CI), someone who forks or clones this repo gets a working secret. Consider surfacing it as a clearly named env var (e.g. `${PL_MASTER_SECRET:-platforma-ci-...}`) so it follows the same pattern as other configurable values and can be overridden without a code change.
How can I resolve this? If you propose a fix, please make it concise.1 participant
Backend now requires --master-secret for all auth modes except token. Hardcode a fixed CI-only value so the platforma container keeps starting.
Greptile Summary
Adds a static
--master-secretflag to the platforma container command in the CI Docker Compose config, working around a new backend requirement that mandates the flag for all auth modes except token-based auth.platforma-ci-master-secret-static-do-not-use-in-prod— intentionally labeled as CI-only, consistent with the other hardcoded test credentials (testuser/testpassword) already present in the same file.Confidence Score: 4/5
Safe to merge for CI use; the hardcoded secret is intentionally labeled as CI-only and mirrors the pattern of other test credentials already in the file.
The change is a single-line addition of a well-labeled static value. The only concern is that a master-secret is committed to version control in base64, which is trivially decodable — though the decoded string itself warns against production use and the surrounding file already follows the same pattern for MinIO credentials.
actions/docker/pl-compose/docker-compose.yaml — specifically the new --master-secret line if the team later wants to move toward env-var-driven secrets for better auditability.
Important Files Changed
Sequence Diagram
sequenceDiagram participant CI as GitHub Actions Runner participant DC as docker-compose participant PL as platforma container participant MN as minio CI->>DC: docker compose up DC->>MN: start (testuser/testpassword) DC->>PL: start with --auth-htpasswd + --master-secret (static CI value) PL-->>DC: ready on :6345 MN-->>DC: ready on :9000 DC-->>CI: all services healthyPrompt To Fix All With AI
Reviews (1): Last reviewed commit: "pl-compose: set static --master-secret f..." | Re-trigger Greptile