feat: use new sealedsecrets

CasLubbers · CasLubbers · commit 2d33b75be99a · 2026-04-16T16:32:41.000+02:00
diff --git a/src/git.ts b/src/git.ts
@@ -382,10 +382,6 @@ export class Git {
     return this.git.revparse('HEAD')
   }
 
-  async commitAndEncrypt(editor: string): Promise<void> {
-    await this.commit(editor)
-  }
-
   async pushWithRetry(): Promise<void> {
     try {
       const retries = env.GIT_PUSH_RETRIES
@@ -417,7 +413,7 @@ export class Git {
   async save(editor: string): Promise<void> {
     // we are in a unique developer branch, so we can pull, push, and merge
     // with the remote root, which might have been modified by another developer
-    await this.commitAndEncrypt(editor)
+    await this.commit(editor)
     await this.pushWithRetry()
   }
 }
diff --git a/src/otomi-stack.ts b/src/otomi-stack.ts
@@ -708,8 +708,17 @@ export default class OtomiStack {
   }): Promise<void> {
     const { otomi } = await this.getSettings()
     const updatedOtomi = buildUpdatedOtomiSettings(otomi, params)
+
+    // Encrypt the password into the otomi-secrets SealedSecret and strip it from the settings YAML
+    const sealedSecretRecord = await this.extractAndStoreSettingsSecrets('otomi', { otomi: updatedOtomi })
+    const valuesSchema = await getValuesSchema()
+    const subSchema = valuesSchema.properties?.otomi
+    if (subSchema) {
+      removeSettingsSecrets(extractSecretPaths(subSchema), updatedOtomi)
+    }
+
     const { filePath, aplObject } = await this.persistOtomiSettings(updatedOtomi)
-    await this.commitAndPushMigration({ ...params, filePath, aplObject })
+    await this.commitAndPushMigration({ ...params, filePath, aplObject, sealedSecretRecord })
   }
 
   private async persistOtomiSettings(
@@ -730,11 +739,12 @@ export default class OtomiStack {
     remoteHasContent: boolean
     filePath: string
     aplObject: AplObject
+    sealedSecretRecord?: AplRecord
   }): Promise<void> {
-    const { repoUrl, branch, password, username, remoteHasContent, filePath, aplObject } = params
+    const { repoUrl, branch, password, username, remoteHasContent, filePath, aplObject, sealedSecretRecord } = params
     const rootStack = await getSessionStack()
     try {
-      await this.git.commitAndEncrypt(this.editor!)
+      await this.git.commit(this.editor!)
       if (!remoteHasContent) {
         // Remote is empty: push so the new remote has the config pointing to itself
         await this.git.pushToNewRemote(repoUrl, branch, password, username)
@@ -743,6 +753,9 @@ export default class OtomiStack {
       await this.git.pushWithRetry()
       await rootStack.git.git.pull()
       rootStack.fileStore.set(filePath, aplObject)
+      if (sealedSecretRecord) {
+        rootStack.fileStore.set(sealedSecretRecord.filePath, sealedSecretRecord.content)
+      }
       debug(`Updated root stack values with ${this.sessionId} migration changes`)
     } catch (e) {
       e.message = getSanitizedErrorMessage(e)

Original file line number	Diff line number	Diff line change
`@@ -382,10 +382,6 @@ export class Git {`
`382`	`382`	`return this.git.revparse('HEAD')`
`383`	`383`	`}`
`384`	`384`
`385`		`- async commitAndEncrypt(editor: string): Promise<void> {`
`386`		`- await this.commit(editor)`
`387`		`- }`
`388`		`-`
`389`	`385`	`async pushWithRetry(): Promise<void> {`
`390`	`386`	`try {`
`391`	`387`	`const retries = env.GIT_PUSH_RETRIES`
`@@ -417,7 +413,7 @@ export class Git {`
`417`	`413`	`async save(editor: string): Promise<void> {`
`418`	`414`	`// we are in a unique developer branch, so we can pull, push, and merge`
`419`	`415`	`// with the remote root, which might have been modified by another developer`
`420`		`- await this.commitAndEncrypt(editor)`
	`416`	`+ await this.commit(editor)`
`421`	`417`	`await this.pushWithRetry()`
`422`	`418`	`}`
`423`	`419`	`}`