fix: exclude .env files from deploy artifact by default#280
Conversation
Add .env and .env.* to always_ignore so dotenv files are never bundled into deploy tarballs. Prevents silent upload of local dev secrets. Also update uv.lock to resolve stale runpod-python git pin. Closes AE-2574
There was a problem hiding this comment.
Pull request overview
This PR hardens the Flash deploy packaging pipeline by ensuring dotenv files (e.g., .env, .env.local, .env.production) are excluded from the deploy artifact by default, preventing accidental upload of local secrets.
Changes:
- Add
.envand.env.*to the built-inalways_ignorepatterns used when building deploy artifacts. - Add unit tests validating dotenv matching and end-to-end exclusion from
get_file_tree. - Update
uv.lockto refresh therunpod-pythongit pin (per PR description).
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/runpod_flash/cli/utils/ignore.py |
Extends built-in ignore patterns to always exclude dotenv files from artifact collection. |
tests/unit/cli/utils/test_ignore.py |
Adds targeted tests for dotenv ignore matching and file tree exclusion behavior. |
uv.lock |
Updates dependency lock state, including the runpod-python git source pin (per PR description). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
runpod-Henrik
left a comment
runpod-Henrik
left a comment
There was a problem hiding this comment.
Henrik's AI-Powered Bug Finder
1. Core change — .env exclusion
Correct fix. .env and .env.* added to always_ignore is the right place and right scope.
Verified live: Deployed a worker with .env containing SECRET_SHOULD_NOT_LEAK=pr280_test, no .gitignore present. Worker returned {"SECRET": null} — the file was not bundled. On v1.10.1 (before this fix) the same setup returned the secret value.
One edge case: .env. (trailing dot) also matches .env.*. Not a real-world concern — no tooling produces files with that name — but worth being aware of.
.envrc (used by direnv) is not matched by either pattern. Reasonable scope for this PR.
2. Tests
Both new tests are well-structured. test_always_ignores_dotenv_files covers spec-level matching including subdirectory paths. test_excludes_dotenv_from_file_tree covers the end-to-end path through get_file_tree.
One gap: test_excludes_dotenv_from_file_tree doesn't verify that a .env in a subdirectory is excluded from the file tree — the spec test covers it at the pattern level but the integration test doesn't. Low risk since pathspec handles it uniformly, but worth adding for completeness.
3. uv.lock bump
runpod-python moves from 1.8.2.dev3 to 1.8.2.dev4. Side effect of running uv lock. Fine.
Nits
- The comment
# ...and secretsis a bit broad — "dotenv files" would be more precise.
Verdict: PASS WITH NITS
Fix is correct, verified live. The subdirectory case in test_excludes_dotenv_from_file_tree is the only thing worth adding before merge.
🤖 Reviewed by Henrik's AI-Powered Bug Finder
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
📝 Documentation updates detected! Updated existing suggestion: Update Flash docs for .flashignore deprecation and built-in ignore patterns Tip: Attach PDFs in Slack messages to Promptless—it can even extract images from them 📎 |
Summary
.envand.env.*to thealways_ignorelist incli/utils/ignore.pyso dotenv files are never bundled into deploy tarballsuv.lockto resolve stalerunpod-pythongit pinContext
flash deploysilently includes.envfiles in the upload artifact unless explicitly excluded via.gitignoreor.flashignore. Users relying on.envfor local dev secrets may unknowingly upload those secrets to deployed workers.This is the recommended fix direction from the issue: add
.envtoalways_ignore.The
.env.*glob also covers variants like.env.local,.env.production,.env.staging.Closes AE-2574
Test plan
test_always_ignores_dotenv_filesvalidates.env,.env.local,.env.production, andsubdir/.envare all matchedtest_excludes_dotenv_from_file_treevalidates end-to-end:.envand.env.localfiles are excluded fromget_file_treeoutput