Update secret scripts to provide app workspace ID (#393)

pantherman594 · web-flow · commit 230c1f1a6599 · 2026-05-06T11:57:15.000-04:00
diff --git a/startupscript/butane/055-provide-secrets.sh b/startupscript/butane/055-provide-secrets.sh
@@ -158,7 +158,7 @@ for i in $(seq 0 $((PIPE_SECRET_COUNT - 1))); do
   echo "Retrieving secret: ${SECRET_NAME}"
 
   { set +o xtrace; } 2>/dev/null
-  SECRET_VALUE="$(retrieve_secret TOKEN "${WSM_URL}" "${RESOURCE_ID}" "${KEY_FILE}" \
+  SECRET_VALUE="$(retrieve_secret TOKEN "${WSM_URL}" "${WORKSPACE_ID}" "${RESOURCE_ID}" "${KEY_FILE}" \
     "${SECRET_WORKSPACE_ID}" "${SECRET_RESOURCE_ID}")"
 
   for SECRET_TYPE_KEY in pipeVar pathVar valueVar; do
diff --git a/startupscript/butane/docker-credential-secrets.sh b/startupscript/butane/docker-credential-secrets.sh
@@ -135,7 +135,7 @@ fi
 
 validate_allowed_secret "${SECRET_ENTRY}" "${SECRET_WORKSPACE_ID}" "${SECRET_RESOURCE_ID}"
 
-CREDENTIAL="$(retrieve_secret TOKEN "${WSM_URL}" "${RESOURCE_ID}" "${KEY_FILE}" \
+CREDENTIAL="$(retrieve_secret TOKEN "${WSM_URL}" "${WORKSPACE_ID}" "${RESOURCE_ID}" "${KEY_FILE}" \
   "${SECRET_WORKSPACE_ID}" "${SECRET_RESOURCE_ID}")"
 readonly CREDENTIAL
 
diff --git a/startupscript/butane/secret-utils.sh b/startupscript/butane/secret-utils.sh
@@ -29,22 +29,26 @@ readonly -f sign_nonce
 # Args:
 #   $1 - name of the variable holding the auth token (passed to curl_with_auth)
 #   $2 - WSM base URL
-#   $3 - app resource ID (the challenge requestor)
-#   $4 - path to the Ed25519 private signing key
-#   $5 - workspace ID containing the secret
-#   $6 - secret resource ID
+#   $3 - app workspace ID (workspace containing the app resource)
+#   $4 - app resource ID (the challenge requestor)
+#   $5 - path to the Ed25519 private signing key
+#   $6 - workspace ID containing the secret
+#   $7 - secret resource ID
 # Outputs: decrypted secret value on stdout
 function retrieve_secret() {
   local token_var="$1"
   local wsm_url="$2"
-  local app_resource_id="$3"
-  local key_file="$4"
-  local secret_workspace_id="$5"
-  local secret_resource_id="$6"
+  local app_workspace_id="$3"
+  local app_resource_id="$4"
+  local key_file="$5"
+  local secret_workspace_id="$6"
+  local secret_resource_id="$7"
 
   local challenge_request
-  challenge_request="$(jq -n --arg appResourceId "${app_resource_id}" \
-    '{"identifier": {"appResourceId": $appResourceId}}')"
+  challenge_request="$(jq -n \
+    --arg workspaceId "${app_workspace_id}" \
+    --arg resourceId "${app_resource_id}" \
+    '{"identifier": {"app": {"workspaceId": $workspaceId, "resourceId": $resourceId}}}')"
 
   local nonce
   nonce="$(curl_with_auth "${token_var}" -s -f -X POST \
@@ -62,11 +66,12 @@ function retrieve_secret() {
 
   local read_request
   read_request="$(jq -n \
-    --arg appResourceId "${app_resource_id}" \
+    --arg workspaceId "${app_workspace_id}" \
+    --arg resourceId "${app_resource_id}" \
     --arg nonce "${nonce}" \
     --arg signature "${signature}" \
     '{
-      "identifier": {"appResourceId": $appResourceId},
+      "identifier": {"app": {"workspaceId": $workspaceId, "resourceId": $resourceId}},
       "nonce": $nonce,
       "signature": $signature
     }')"
