4.3.4

.gitignore

@@ -3,6 +3,7 @@
 postgres-data
 # dependencies
 node_modules
+.pnpm-store/
 .pnp
 .pnp.js
 
@@ -67,4 +68,4 @@ apps/**/public/build
 **/.claude/settings.local.json
 .mcp.log
 .mcp.json
-.cursor/debug.log
+.cursor/debug.log

apps/supervisor/src/env.ts

@@ -81,6 +81,11 @@ const Env = z.object({
   KUBERNETES_FORCE_ENABLED: BoolEnv.default(false),
   KUBERNETES_NAMESPACE: z.string().default("default"),
   KUBERNETES_WORKER_NODETYPE_LABEL: z.string().default("v4-worker"),
+  KUBERNETES_RUNNER_ENV_SECRET_MOUNT_ENABLED: BoolEnv.default(false),
+  KUBERNETES_RUNNER_ENV_SECRET_NAME_PREFIX: z.string().default("runner-env"),
+  KUBERNETES_RUNNER_ENV_SECRET_KEY: z.string().default("secrets.env"),
+  KUBERNETES_RUNNER_ENV_SECRET_MOUNT_PATH: z.string().default("/var/run/secrets/runner-env"),
+  KUBERNETES_RUNNER_ENV_SECRET_OPTIONAL: BoolEnv.default(false),
   KUBERNETES_IMAGE_PULL_SECRETS: z.string().optional(), // csv
   KUBERNETES_EPHEMERAL_STORAGE_SIZE_LIMIT: z.string().default("10Gi"),
   KUBERNETES_EPHEMERAL_STORAGE_SIZE_REQUEST: z.string().default("2Gi"),

apps/supervisor/src/index.ts

@@ -69,6 +69,11 @@ class ManagedSupervisor {
       snapshotPollIntervalSeconds: env.RUNNER_SNAPSHOT_POLL_INTERVAL_SECONDS,
       additionalEnvVars: env.RUNNER_ADDITIONAL_ENV_VARS,
       dockerAutoremove: env.DOCKER_AUTOREMOVE_EXITED_CONTAINERS,
+      runnerEnvSecretMountEnabled: env.KUBERNETES_RUNNER_ENV_SECRET_MOUNT_ENABLED,
+      runnerEnvSecretNamePrefix: env.KUBERNETES_RUNNER_ENV_SECRET_NAME_PREFIX,
+      runnerEnvSecretKey: env.KUBERNETES_RUNNER_ENV_SECRET_KEY,
+      runnerEnvSecretMountPath: env.KUBERNETES_RUNNER_ENV_SECRET_MOUNT_PATH,
+      runnerEnvSecretOptional: env.KUBERNETES_RUNNER_ENV_SECRET_OPTIONAL,
     } satisfies WorkloadManagerOptions;
 
     this.resourceMonitor = env.RESOURCE_MONITOR_ENABLED

apps/supervisor/src/workloadManager/kubernetes.ts

@@ -103,6 +103,8 @@ export class KubernetesWorkloadManager implements WorkloadManager {
     this.logger.log("[KubernetesWorkloadManager] Creating container", { opts });
 
     const runnerId = getRunnerId(opts.runFriendlyId, opts.nextAttemptNumber);
+    const runnerEnvSecretMount = this.#getRunnerEnvSecretMount(opts);
+    const basePodSpec = this.addPlacementTags(this.#defaultPodSpec, opts.placementTags);
 
     try {
       await this.k8s.core.createNamespacedPod({
@@ -119,9 +121,12 @@ export class KubernetesWorkloadManager implements WorkloadManager {
             },
           },
           spec: {
-            ...this.addPlacementTags(this.#defaultPodSpec, opts.placementTags),
+            ...basePodSpec,
             affinity: this.#getAffinity(opts.machine, opts.projectId),
             terminationGracePeriodSeconds: 60 * 60,
+            ...(runnerEnvSecretMount
+              ? { volumes: [...(basePodSpec.volumes ?? []), runnerEnvSecretMount.volume] }
+              : {}),
             containers: [
               {
                 name: "run-controller",
@@ -132,6 +137,17 @@ export class KubernetesWorkloadManager implements WorkloadManager {
                   },
                 ],
                 resources: this.#getResourcesForMachine(opts.machine),
+                ...(runnerEnvSecretMount
+                  ? {
+                      volumeMounts: [
+                        {
+                          name: runnerEnvSecretMount.volume.name,
+                          mountPath: runnerEnvSecretMount.mountPath,
+                          readOnly: true,
+                        },
+                      ],
+                    }
+                  : {}),
                 env: [
                   {
                     name: "TRIGGER_DEQUEUED_AT_MS",
@@ -245,6 +261,14 @@ export class KubernetesWorkloadManager implements WorkloadManager {
                         },
                       ]
                     : []),
+                  ...(runnerEnvSecretMount
+                    ? [
+                        {
+                          name: "TRIGGER_MOUNTED_ENV_FILE",
+                          value: runnerEnvSecretMount.filePath,
+                        },
+                      ]
+                    : []),
                   ...(this.opts.additionalEnvVars
                     ? Object.entries(this.opts.additionalEnvVars).map(([key, value]) => ({
                         name: key,
@@ -299,6 +323,49 @@ export class KubernetesWorkloadManager implements WorkloadManager {
     }
   }
 
+  #getRunnerEnvSecretMount(
+    opts: WorkloadManagerCreateOptions
+  ):
+    | {
+        mountPath: string;
+        filePath: string;
+        volume: k8s.V1Volume;
+      }
+    | undefined {
+    if (!this.opts.runnerEnvSecretMountEnabled) {
+      return undefined;
+    }
+
+    const prefix = this.opts.runnerEnvSecretNamePrefix?.trim();
+    const secretKey = this.opts.runnerEnvSecretKey?.trim();
+    const rawMountPath = this.opts.runnerEnvSecretMountPath?.trim();
+
+    if (!prefix || !secretKey || !rawMountPath) {
+      this.logger.warn("[KubernetesWorkloadManager] Runner env secret mount is enabled but invalid");
+      return undefined;
+    }
+
+    const envLabel = this.#envTypeToLabelValue(opts.envType);
+    const fileName = `${envLabel}.env`;
+    const mountPath = rawMountPath.replace(/\/+$/, "");
+    const filePath = `${mountPath}/${fileName}`;
+    const secretName = `${prefix}-${envLabel}`;
+    const volumeName = "runner-env-secret";
+
+    return {
+      mountPath,
+      filePath,
+      volume: {
+        name: volumeName,
+        secret: {
+          secretName,
+          optional: this.opts.runnerEnvSecretOptional,
+          items: [{ key: secretKey, path: fileName }],
+        },
+      },
+    };
+  }
+
   private getImagePullSecrets(): k8s.V1LocalObjectReference[] | undefined {
     return this.opts.imagePullSecrets?.map((name) => ({ name }));
   }

apps/supervisor/src/workloadManager/types.ts

@@ -11,6 +11,11 @@ export interface WorkloadManagerOptions {
   snapshotPollIntervalSeconds?: number;
   additionalEnvVars?: Record<string, string>;
   dockerAutoremove?: boolean;
+  runnerEnvSecretMountEnabled?: boolean;
+  runnerEnvSecretNamePrefix?: string;
+  runnerEnvSecretKey?: string;
+  runnerEnvSecretMountPath?: string;
+  runnerEnvSecretOptional?: boolean;
 }
 
 export interface WorkloadManager {

packages/build/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @basicblock/trigger-build
 
+## 4.3.4
+
+### Patch Changes
+
+- ok ([#5](https://github.com/BasicBlock/trigger.dev/pull/5))
+- Updated dependencies:
+  - `@basicblock/trigger-core@4.3.4`
+
 ## 4.3.3
 
 ### Patch Changes

packages/build/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@basicblock/trigger-build",
-  "version": "4.3.3",
+  "version": "4.3.4",
   "description": "trigger.dev build extensions",
   "license": "MIT",
   "publishConfig": {
@@ -79,7 +79,7 @@
   },
   "dependencies": {
     "@prisma/config": "^6.10.0",
-    "@basicblock/trigger-core": "workspace:4.3.3",
+    "@basicblock/trigger-core": "workspace:4.3.4",
     "mlly": "^1.7.1",
     "pkg-types": "^1.1.3",
     "resolve": "^1.22.8",

packages/cli-v3/CHANGELOG.md

@@ -1,5 +1,17 @@
 # trigger.dev
 
+## 4.3.4
+
+### Patch Changes
+
+- Fix runner getting stuck indefinitely when `execute()` is called on a dead child process. ([#2978](https://github.com/triggerdotdev/trigger.dev/pull/2978))
+- Add optional `timeoutInSeconds` parameter to the `wait_for_run_to_complete` MCP tool. Defaults to 60 seconds. If the run doesn't complete within the timeout, the current state of the run is returned instead of waiting indefinitely. ([#3035](https://github.com/triggerdotdev/trigger.dev/pull/3035))
+- ok ([#5](https://github.com/BasicBlock/trigger.dev/pull/5))
+- Updated dependencies:
+  - `@basicblock/trigger-core@4.3.4`
+  - `@basicblock/trigger-schema-to-json@4.3.4`
+  - `@basicblock/trigger-build@4.3.4`
+
 ## 4.3.3
 
 ### Patch Changes

packages/cli-v3/DEVELOPMENT.md

@@ -21,7 +21,7 @@ If you want to use it in a new folder, you need to first add it as a dev depende
 ```json
 //...
 "devDependencies": {
-    "trigger.dev": "workspace:*",
+    "@basicblock/trigger-cli": "workspace:*",
     //...
 }
 //...

packages/cli-v3/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@basicblock/trigger-cli",
-  "version": "4.3.3",
+  "version": "4.3.4",
   "description": "A Command-Line Interface for Trigger.dev projects",
   "type": "module",
   "license": "MIT",
@@ -94,9 +94,9 @@
     "@opentelemetry/sdk-trace-node": "2.0.1",
     "@opentelemetry/semantic-conventions": "1.36.0",
     "@s2-dev/streamstore": "^0.17.6",
-    "@basicblock/trigger-build": "workspace:4.3.3",
-    "@basicblock/trigger-core": "workspace:4.3.3",
-    "@basicblock/trigger-schema-to-json": "workspace:4.3.3",
+    "@basicblock/trigger-build": "workspace:4.3.4",
+    "@basicblock/trigger-core": "workspace:4.3.4",
+    "@basicblock/trigger-schema-to-json": "workspace:4.3.4",
     "ansi-escapes": "^7.0.0",
     "braces": "^3.0.3",
     "c12": "^1.11.1",

packages/cli-v3/src/entryPoints/managed-run-worker.ts

@@ -75,6 +75,63 @@ sourceMapSupport.install({
   hookRequire: false,
 });
 
+function parseEnvFile(contents: string): Record<string, string> {
+  return contents.split(/\r?\n/).reduce(
+    (acc, line) => {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) {
+        return acc;
+      }
+
+      const delimiterIndex = trimmed.indexOf("=");
+      if (delimiterIndex === -1) {
+        return acc;
+      }
+
+      const key = trimmed.slice(0, delimiterIndex).trim();
+      const value = trimmed.slice(delimiterIndex + 1).trim();
+
+      if (!key) {
+        return acc;
+      }
+
+      const unquotedValue =
+        (value.startsWith('"') && value.endsWith('"')) ||
+        (value.startsWith("'") && value.endsWith("'"))
+          ? value.slice(1, -1)
+          : value;
+
+      acc[key] = unquotedValue;
+      return acc;
+    },
+    {} as Record<string, string>
+  );
+}
+
+async function loadMountedEnvFile() {
+  const mountedEnvPath = process.env.TRIGGER_MOUNTED_ENV_FILE ?? process.env.DOPPLER_SECRETS_FILE;
+  if (!mountedEnvPath) {
+    return;
+  }
+
+  try {
+    const envContents = await readFile(mountedEnvPath, "utf8");
+    const parsedEnv = parseEnvFile(envContents);
+
+    for (const [key, value] of Object.entries(parsedEnv)) {
+      // Keep explicit process env values intact (including Trigger-managed vars).
+      if (process.env[key] === undefined) {
+        process.env[key] = value;
+      }
+    }
+  } catch (error) {
+    console.error("Failed to load mounted env file", {
+      mountedEnvPath,
+      error: error instanceof Error ? error.message : String(error),
+    });
+  }
+}
+
 process.on("uncaughtException", function (error, origin) {
   console.error("Uncaught exception", { error, origin });
   if (error instanceof Error) {
@@ -109,6 +166,8 @@ process.on("uncaughtException", function (error, origin) {
   }
 });
 
+await loadMountedEnvFile();
+
 const heartbeatIntervalMs = getEnvVar("HEARTBEAT_INTERVAL_MS");
 
 const standardLocalsManager = new StandardLocalsManager();