Check config without secrets.yaml

reef-actor · January 19, 2019, 9:02pm

I have added a component to my config that uses !secret to import sensitive values and it is working fine locally where I have my secrets.yaml file.
Naturally I don’t want to include this data in my git repo, however this is causing my GitLab CI to fail with “secret not defined”

$ hass --script check_config -c .
INFO:homeassistant.util.package:Attempting install of colorlog==4.0.2
Testing configuration at /builds/[username]/hass-config/.
Failed config
  General Errors: 
    - Error loading /builds/[username]/hass-config/./configuration.yaml: Secret something_sensitive not defined

Successful config (partial)
ERROR: Job failed: exit code 1

Is there an additional flag I can pass to the config check script or some low maintenance way of handling this situation?

anon43302295 · January 19, 2019, 10:36pm

You create a redacted version of your secrets.yaml and upload it to your repo, then get your ci script to rename the redacted one to secrets.yaml before processing the config check.

See my repo for a working example.

link removed

reef-actor · January 19, 2019, 11:34pm

That seems about as straightforward as possible, thanks

elRadix · June 8, 2019, 6:14pm

Hi,

I have been looking on your github, I cant find the solution how to fix the secrets file.
I have same issue as OP.

test:
  stage: test
  image: homeassistant/raspberrypi3-homeassistant:latest
  script:
    - hass --script check_config -c .

anon43302295 · June 8, 2019, 11:14pm

I don’t know what ci that’s for, but at a guess try something like

test:
  stage: test
  image: homeassistant/raspberrypi3-homeassistant:latest
  script: |
    mv redacted_secrets.yaml secrets.yaml 
    hass --script check_config -c .

elRadix · June 11, 2019, 1:46pm

I’m using gitlab, it’s my first auto CI tool

So I should create a dummy secrets file and replace it with a real one?

reef-actor · June 11, 2019, 3:06pm

In my repository I have not_secrets.yaml:

tado_username: username
tado_password: password

I mv not_secrets.yaml secrets.yaml in my CI

anon43302295 · June 11, 2019, 3:32pm

Not exactly. You create a dummy secrets file, and then tell your ci to rename it to secrets.yaml before it runs the config check.

elRadix · June 11, 2019, 3:35pm

but the local real secrets files remains unchanged and is included in the .gitignore file?

anon43302295 · June 11, 2019, 4:00pm

Yes, the real secrets file never goes to your git server because it is in gitignore, so you don’t have a secrets.yaml there. When the CI runs it renames the fake one to secrets.yaml so now you do have one and the config checker can do it’s thing.

Look at my repo, the CI script is in .circleci and the fake secrets is in .bin/github_resources