fix(config): honour GOOSE_DISABLE_KEYRING from config.yaml at startup (#8219)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Douwe Osinga <douwe@squareup.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Douwe Osinga <douwe@squareup.com>
This commit is contained in:
Luca Barbato
2026-04-02 15:54:30 +02:00
committed by GitHub
parent 8d4835f070
commit 070e519c7f
+24 -5
View File
@@ -152,13 +152,16 @@ impl Default for Config {
}
});
let secrets = match env::var("GOOSE_DISABLE_KEYRING") {
Ok(_) => SecretStorage::File {
let secrets = if env::var("GOOSE_DISABLE_KEYRING").is_ok()
|| keyring_disabled_in_config(&config_path)
{
SecretStorage::File {
path: config_dir.join("secrets.yaml"),
},
Err(_) => SecretStorage::Keyring {
}
} else {
SecretStorage::Keyring {
service: KEYRING_SERVICE.to_string(),
},
}
};
Config {
config_path,
@@ -249,6 +252,22 @@ fn parse_yaml_content(content: &str) -> Result<Mapping, ConfigError> {
serde_yaml::from_str(content).map_err(|e| e.into())
}
/// Read the GOOSE_DISABLE_KEYRING flag from the config file.
///
/// Called before Config is fully initialised, so we do a minimal raw read
/// rather than going through `get_param`. All errors are treated as `false`
/// (keyring stays enabled) so a missing/malformed file is never fatal here.
fn keyring_disabled_in_config(config_path: &Path) -> bool {
std::fs::read_to_string(config_path)
.ok()
.and_then(|s| parse_yaml_content(&s).ok())
.and_then(|m| {
m.get("GOOSE_DISABLE_KEYRING")
.map(|v| v.as_bool().unwrap_or(false) || v.as_str().is_some_and(|s| s == "true"))
})
.unwrap_or(false)
}
impl Config {
/// Get the global configuration instance.
///