Canton config for deploy.prod.yaml by HardlyDifficult · Pull Request #173 · Fairmint/open-captable-protocol

HardlyDifficult · 2025-06-12T23:14:27Z

What?

Please describe what you're trying to accomplish in this PR.

Why?

What problem does this solve? Why is this important? What's the context?

Screenshots (optional)

cursor · 2025-06-12T23:15:44Z

🚨 BugBot couldn't run

Something went wrong. Try again by commenting "bugbot run", or contact support (requestId: serverGenReqId_ab9ab07b-1aa9-455b-aca8-634557094a09).

cursor

Bug: Dev Workflow Exposes Production Secrets

The deploy.dev.yaml workflow now injects production (FAIRMINT_MAINNET_*, TRANSFER_AGENT_MAINNET_CLIENT_SECRET) and DEVNET secrets into the dev runner and container. This exposes live-environment credentials on the less-trusted development host, creating an unnecessary security risk and increasing the blast radius if compromised. The workflow will also fail if these new secrets are not defined in the "dev" GitHub environment.

.github/workflows/deploy.dev.yaml#L58-L65

open-captable-protocol/.github/workflows/deploy.dev.yaml

Lines 58 to 65 in dff77a3

    
           RPC_URL: ${{ secrets.RPC_URL }} 
        
           FAIRMINT_MAINNET_USER_ID: ${{ secrets.FAIRMINT_MAINNET_USER_ID }} 
        
           FAIRMINT_MAINNET_PARTY_ID: ${{ secrets.FAIRMINT_MAINNET_PARTY_ID }} 
        
           TRANSFER_AGENT_MAINNET_CLIENT_SECRET: ${{ secrets.TRANSFER_AGENT_MAINNET_CLIENT_SECRET }} 
        
           FAIRMINT_DEVNET_USER_ID: ${{ secrets.FAIRMINT_DEVNET_USER_ID }} 
        
           FAIRMINT_DEVNET_PARTY_ID: ${{ secrets.FAIRMINT_DEVNET_PARTY_ID }} 
        
           TRANSFER_AGENT_DEVNET_CLIENT_SECRET: ${{ secrets.TRANSFER_AGENT_DEVNET_CLIENT_SECRET }}

Fix in Cursor

Was this report helpful? Give feedback by reacting with 👍 or 👎

HardlyDifficult added 2 commits June 12, 2025 19:14

Canton config for deploy.prod.yaml

9453690

Update deploy.dev.yaml

dff77a3

thibauld merged commit 09ce39d into main Jun 12, 2025
2 checks passed

thibauld deleted the HardlyDifficult-patch-1 branch June 12, 2025 23:18

cursor Bot reviewed Jun 12, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Canton config for deploy.prod.yaml#173

Canton config for deploy.prod.yaml#173
thibauld merged 2 commits intomainfrom
HardlyDifficult-patch-1

HardlyDifficult commented Jun 12, 2025

Uh oh!

cursor Bot commented Jun 12, 2025

Uh oh!

Uh oh!

cursor Bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

	RPC_URL: ${{ secrets.RPC_URL }}
	FAIRMINT_MAINNET_USER_ID: ${{ secrets.FAIRMINT_MAINNET_USER_ID }}
	FAIRMINT_MAINNET_PARTY_ID: ${{ secrets.FAIRMINT_MAINNET_PARTY_ID }}
	TRANSFER_AGENT_MAINNET_CLIENT_SECRET: ${{ secrets.TRANSFER_AGENT_MAINNET_CLIENT_SECRET }}
	FAIRMINT_DEVNET_USER_ID: ${{ secrets.FAIRMINT_DEVNET_USER_ID }}
	FAIRMINT_DEVNET_PARTY_ID: ${{ secrets.FAIRMINT_DEVNET_PARTY_ID }}
	TRANSFER_AGENT_DEVNET_CLIENT_SECRET: ${{ secrets.TRANSFER_AGENT_DEVNET_CLIENT_SECRET }}

Conversation

HardlyDifficult commented Jun 12, 2025

What?

Why?

Screenshots (optional)

Uh oh!

cursor Bot commented Jun 12, 2025

🚨 BugBot couldn't run

Uh oh!

Uh oh!

cursor Bot left a comment

Choose a reason for hiding this comment

Bug: Dev Workflow Exposes Production Secrets

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants