Skip to content

Fixed 1Password op:// secrets being clobbered by .env loading#413

Merged
ejacquier merged 3 commits intomainfrom
op-support
May 5, 2026
Merged

Fixed 1Password op:// secrets being clobbered by .env loading#413
ejacquier merged 3 commits intomainfrom
op-support

Conversation

@ejacquier
Copy link
Copy Markdown
Contributor

@ejacquier ejacquier commented May 4, 2026

Summary

When using op run --env-file .env -- cre workflow simulate ... (the documented 1Password workflow), secrets were not being resolved — the literal op://vault/item/field string was injected instead of the actual secret value.

Root cause: loadEnvFile used godotenv.Overload, which reads the .env file from disk and overwrites all matching env vars already in the process. Since op run injects resolved secrets before launching cre, and cre then re-reads the same .env file with
Overload, the unresolved op:// reference would clobber the value op run had already set.

Fix

Replace godotenv.Overload with a godotenv.Read + manual loop. For each key in the file:

  • Plain values → os.Setenv as before (file-beats-shell semantics preserved)
  • op:// values → skip os.Setenv, leaving whatever op run resolved in the environment untouched

@ejacquier ejacquier requested a review from a team as a code owner May 4, 2026 19:54
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 4, 2026

👋 ejacquier, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

@anirudhwarrier anirudhwarrier requested a review from Copilot May 5, 2026 03:28
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a configuration-loading edge case when running cre under op run --env-file ..., where unresolved op://... placeholders from the .env file were overwriting secrets that op run had already resolved and injected into the process environment.

Changes:

  • Replace godotenv.Overload usage with godotenv.Read plus a manual os.Setenv loop.
  • Skip applying .env entries whose values begin with op:// to avoid clobbering 1Password-resolved secrets.
  • Add a regression test ensuring op:// values don’t overwrite an already-set environment variable.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
internal/settings/settings.go Changes env-file loading to selectively apply vars while preserving op run-resolved secrets.
internal/settings/settings_load_test.go Adds coverage for the new “skip op:// values” behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/settings/settings.go
Comment thread internal/settings/settings.go Outdated
Comment thread internal/settings/settings_load_test.go
Comment on lines +255 to +260
// op:// reference must not clobber the value injected by op run.
assert.Equal(t, "resolved-value", os.Getenv("MY_SECRET"),
"op:// reference in .env should not overwrite the value resolved by op run")
// Plain values still override the shell env (Overload semantics preserved).
assert.Equal(t, "plain-value", os.Getenv("PLAIN_VAR"))
// loadedEnvVars still reflects the raw file content.
@ejacquier ejacquier added this pull request to the merge queue May 5, 2026
Merged via the queue into main with commit 6aaa64b May 5, 2026
22 checks passed
@ejacquier ejacquier deleted the op-support branch May 5, 2026 12:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@anirudhwarrier anirudhwarrier anirudhwarrier approved these changes

@Atrax1 Atrax1 Awaiting requested review from Atrax1

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ejacquier @anirudhwarrier