feat(cre-local): enable secrets management via vault don

[czar0]

Note: this is for CRE Local only.

This pull request enables the CRE Local environment to manage secrets via the vault DON, as required by the current CRE architecture.

The workflows are registered and executed correctly, and the secrets are encrypted and fetched as shown in the log below.

2026-04-20 11:42:02.685debuglevel=debug ts=2026-04-20T09:42:02.685Z logger=CRE.WorkflowRegistrySyncer.WorkflowEngine.WorkflowEngine.SecretsFetcher caller=v2/secrets.go:391 msg="decryption shares collected" version=2.43.0@unset workflowID=00b812c415a0e9c8d82ee694ab942aa1e542f0e7c0c0c1368be940e96ec3559d stepRef= workflowExecutionID= state=

[github-actions]

👋 czar0, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[Copilot]

Pull request overview

Risk Rating: HIGH

Enables CRE Local workflow deployments to manage secrets via the Vault DON by fetching the vault public key from the gateway, encrypting secrets locally, allowlisting the request in the workflow registry, and sending the encrypted payload to the gateway for vault storage.

Changes:

• Adds vault-secrets YAML parsing + encryption pipeline and a gateway JSON-RPC flow for public key fetch and secrets create.
• Updates deploy workflow CLI to accept --gateway-url and to (optionally) update the vault capability config in the capabilities registry.
• Adjusts example workflow deployment call to match the updated deploy function signature.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
core/scripts/cre/environment/environment/workflow.go	Implements vault gateway interactions, secrets encryption/output, allowlisting, and CLI flag changes for CRE Local secret management.
core/scripts/cre/environment/environment/examples.go	Updates example workflow deployment call to align with new deploy function parameters.

[trunk-io]

     

Failed Test	Failure Summary	Logs
Test_CCIPProgrammableTokenTransfer_EVM2Sui_BurnMintTokenPool	The test failed due to an unspecified error during execution, with no clear indication of what caused the failure.	Logs ↗︎
TestRMNCurseOneConnectedLanesGlobalOnly	The test failed because it could not download the required artifact due to a server error (status 500).	Logs ↗︎
Test_CCIPPureTokenTransfer_EVM2Sui_BurnMintTokenPool	The test failed during the process of transferring coins, but the specific error message is not provided in the log.	Logs ↗︎
Test_CCIPZeroGasLimitTokenTransfer_EVM2Sui_BurnMintTokenPool	The test failed without a specific error message, likely due to a timeout or an unspecified failure during execution.	Logs ↗︎

... and 11 more

View Full Report ↗︎ ⋅ Docs

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube