fix: wire BUILD_IROH_SERVICES_API_KEY into bundle and release workflows#149
Open
zachsmith1 wants to merge 2 commits intomainfrom
Open
fix: wire BUILD_IROH_SERVICES_API_KEY into bundle and release workflows#149zachsmith1 wants to merge 2 commits intomainfrom
zachsmith1 wants to merge 2 commits intomainfrom
Conversation
scotwells
reviewed
Apr 28, 2026
|
|
||
| env: | ||
| BUILD_N0DES_API_SECRET: ${{ secrets.N0DES_API_SECRET }} | ||
| BUILD_IROH_SERVICES_API_KEY: ${{ secrets.BUILD_IROH_SERVICES_API_KEY }} |
Contributor
There was a problem hiding this comment.
What does this API key have access to? Just publishing telemetry?
Contributor
Author
There was a problem hiding this comment.
@Frando do you have a good answer here? from what i can tell there is no fine grained access we can associate with these tokens
The diagnostics module reads BUILD_IROH_SERVICES_API_KEY via option_env!() at compile time as a fallback when the runtime IROH_SERVICES_API_KEY isn't set, but neither workflow exported the secret to the build env, so released apps shipped without a key baked in and logged "Net diagnostics disabled: IROH_SERVICES_API_KEY not set" on launch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
zachsmith1
force-pushed
the
fix/wire-iroh-services-api-key
branch
from
3b7e6b8 to
86dc324
Compare
The dep was declared with a bare git URL and no rev pin. Combined with bundle CI's `cargo generate-lockfile` step (which discards the committed lockfile before `dx bundle --locked`), every CI run resolved upstream HEAD. Upstream just landed a Select API change (`value` is now `Option<ReadSignal<Option<T>>>` and `placeholder` was removed), breaking the bundle build with no source changes on our side. Pin to ffbc750 (the rev currently in Cargo.lock and the last known to build cleanly), matching the same approach used for the recent pkcs8 pin. Bumps should be deliberate going forward. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BUILD_IROH_SERVICES_API_KEYGitHub repo secret into the build env in bothbundle.ymlandmanual-release.yml, alongside the otherBUILD_*secrets.option_env!(\"BUILD_IROH_SERVICES_API_KEY\")inlib/src/diagnostics.rs:42resolves toNoneat compile time, so released apps logNet diagnostics disabled: IROH_SERVICES_API_KEY not seton launch and net diagnostics never start unless the user manually exports the runtime env var.Test plan
bundleworkflow run on this branch and confirm the build env containsBUILD_IROH_SERVICES_API_KEY(no value will be printed since it's a secret, but the step should not fail).~/Library/Application Support/Datum/ui.logshowsconnecting to iroh-services for net diagnosticsandGranted NetDiagnosticsCap::GetAny to iroh-serviceson launch (rather than the "disabled" line).