Check config without secrets.yaml

I have added a component to my config that uses !secret to import sensitive values and it is working fine locally where I have my secrets.yaml file.
Naturally I don’t want to include this data in my git repo, however this is causing my GitLab CI to fail with “secret not defined”

$ hass --script check_config -c .
INFO:homeassistant.util.package:Attempting install of colorlog==4.0.2
Testing configuration at /builds/[username]/hass-config/.
Failed config
  General Errors: 
    - Error loading /builds/[username]/hass-config/./configuration.yaml: Secret something_sensitive not defined

Successful config (partial)
ERROR: Job failed: exit code 1

Is there an additional flag I can pass to the config check script or some low maintenance way of handling this situation?

You create a redacted version of your secrets.yaml and upload it to your repo, then get your ci script to rename the redacted one to secrets.yaml before processing the config check.

See my repo for a working example.

link removed

That seems about as straightforward as possible, thanks

1 Like


I have been looking on your github, I cant find the solution how to fix the secrets file.
I have same issue as OP.

  stage: test
  image: homeassistant/raspberrypi3-homeassistant:latest
    - hass --script check_config -c .

I don’t know what ci that’s for, but at a guess try something like

  stage: test
  image: homeassistant/raspberrypi3-homeassistant:latest
  script: |
    mv redacted_secrets.yaml secrets.yaml 
    hass --script check_config -c .

I’m using gitlab, it’s my first auto CI tool :slight_smile:

So I should create a dummy secrets file and replace it with a real one?

In my repository I have not_secrets.yaml:

tado_username: username
tado_password: password

I mv not_secrets.yaml secrets.yaml in my CI

Not exactly. You create a dummy secrets file, and then tell your ci to rename it to secrets.yaml before it runs the config check.

but the local real secrets files remains unchanged and is included in the .gitignore file?

Yes, the real secrets file never goes to your git server because it is in gitignore, so you don’t have a secrets.yaml there. When the CI runs it renames the fake one to secrets.yaml so now you do have one and the config checker can do it’s thing.

Look at my repo, the CI script is in .circleci and the fake secrets is in .bin/github_resources