fix(provisioner): inject ADMIN_TOKEN into workspace container env (core#831) #885
Merged
devops-engineer
merged 1 commits from 2026-05-13 21:29:49 +00:00
fix/831-admin-token-in-workspace into main
1 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
| b9ca3b0653 |
fix(provisioner): inject ADMIN_TOKEN into workspace container env (core#831)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 14s
CI / Detect changes (pull_request) Successful in 34s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped
Harness Replays / detect-changes (pull_request) Successful in 20s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m23s
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 52s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m14s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m5s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s
qa-review / approved (pull_request) Successful in 18s
security-review / approved (pull_request) Failing after 20s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 39s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m12s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 11s
CI / Python Lint & Test (pull_request) Successful in 10s
CI / Canvas (Next.js) (pull_request) Successful in 15s
Harness Replays / Harness Replays (pull_request) Successful in 10s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 12s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 10s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m25s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
sop-checklist / all-items-acked (pull_request) acked: 7/7
sop-checklist-gate / gate (pull_request) Successful in 42s
gate-check-v3 / gate-check (pull_request) Failing after 56s
sop-tier-check / tier-check (pull_request) Successful in 36s
CI / Platform (Go) (pull_request) Failing after 9m42s
CI / all-required (pull_request) Successful in 5s
audit-force-merge / audit (pull_request) Successful in 29s
CPProvisioner.Start() reads ADMIN_TOKEN from os.Getenv() and uses it for
CP→platform HTTP auth, but never passes it to the workspace container's
runtime env. Without ADMIN_TOKEN in the container, the integration-tester
workspace (ID: 33bb2f71) gets 401 from /admin/liveness, blocking Gate 5
and the release promotion cycle.
Fix (CP/SaaS mode): inject p.adminToken into the Env map sent to the
control plane so it reaches the EC2 instance's container env.
Fix (Docker/local mode): inject os.Getenv("ADMIN_TOKEN") from the
platform server into the Docker container env via buildContainerEnv. This
mirrors the SaaS path so any workspace in any mode can reach
/admin/liveness.
Safe: both paths only inject when ADMIN_TOKEN is non-empty (Docker/local
dev without ADMIN_TOKEN set is unaffected; the platform server's env
carries it in SaaS/prod).
Refs: core#831
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
