Commit 24f2122
ci: set a dummy QSEAL_SECRET for the test jobs (fail-closed allow-paths need a signing secret)
Since the 0.4.x hardening, an allow-path that cannot sign its witness
refuses (POLICY_BLOCK) rather than run unsigned — by design. The
suite's documented invocation sets QSEAL_SECRET; CI never did, so
test_langchain_tool_allows_safe_read went red on the first CI exposure
of the fail-closed era. Bisected: same wheels pass with the secret set,
fail without it, on both PyPI-installed and repo code. Value is a
CI-only dummy, not a credential.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>1 parent 28697ce commit 24f2122
2 files changed
Lines changed: 10 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
21 | 26 | | |
22 | 27 | | |
23 | 28 | | |
| |||
48 | 53 | | |
49 | 54 | | |
50 | 55 | | |
| 56 | + | |
| 57 | + | |
51 | 58 | | |
52 | 59 | | |
53 | 60 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
16 | 19 | | |
17 | 20 | | |
18 | 21 | | |
| |||
0 commit comments