Warning
Variables were used in this run
This run routed one or more Key Vault items to GitHub environment variables (not secrets). Variables are not masked like secrets in GitHub UI/logs; treat them as non-sensitive and review repository access.
Hybrid routing migration active
This run accepted both legacy name-based routing and tag-based routing. Valid tag routing took precedence. Legacy-only items still require migration, and conflicting name/tag routing was reported and skipped.
Required operator action
- Migrate legacy-only items to tag-based routing
- Add
secret-sync.source-idto managed tag-routed items - Fix invalid tag schema on managed items
- Resolve any reported name/tag routing conflicts
| Check | Count | Examples |
|---|---|---|
| Legacy name-based routing still in use | 3 | devkv01:auto--payments-api--db-password, devkv01:auto-shared-subscription-id |
Missing secret-sync.source-id |
2 | devkv01:tls-cert, prodkv01:deploy-token |
| Invalid tag schema (fallback or skip) | 1 | devkv01:legacy-app-secret |
| Name/tag routing conflicts | 1 | prodkv01:auto--web-portal--api-key |
Totals for planned writes vs outcomes across all targeted repo/environment pairs.
| Planned | Written | Unchanged | Skipped | Failed | Issues |
|---|---|---|---|---|---|
| 18 | 11 | 4 | 2 | 1 | 6 |
Secrets are encrypted (sealed-box). Variables are plaintext server-side and not masked in logs by default.
| Kind | Planned | Written | Unchanged | Skipped | Failed |
|---|---|---|---|---|---|
| secret | 15 | 10 | 3 | 1 | 1 |
| variable | 3 | 1 | 1 | 1 | 0 |
| Mode | Grace runs | Candidates | Eligible now | Tombstones | Deleted | Failed |
|---|---|---|---|---|---|---|
| deleteWithTombstone | 3 | 2 | 1 | 1 | 1 | 0 |
| Repo | Deleted | Failed |
|---|---|---|
| payments-api | 1 | 0 |
High-level scope derived from config and discovery (no secret values).
- Org:
example-org - Repos evaluated:
24; eligible:9 - Key Vaults evaluated:
3
Per-environment rollup after eligibility checks; counts reflect attempted destination writes.
| Environment | Targeted repos | Written | Unchanged | Skipped | Failed |
|---|---|---|---|---|---|
dev |
5 | 7 | 3 | 1 | 0 |
preprod |
2 | 2 | 1 | 0 | 0 |
prod |
2 | 2 | 0 | 1 | 1 |
Per-Key Vault inventory and processing counts. "Read" means values were fetched for managed matches.
| Vault | Listed | Managed matched | Ignored | Read (values fetched) |
|---|---|---|---|---|
devkv01 |
42 | 11 | 31 | 11 |
preprodkv01 |
18 | 4 | 14 | 4 |
prodkv01 |
27 | 6 | 21 | 6 |
Eligibility outcomes when checking whether repo environments exist and are accessible.
| Environment | Eligible repos | Missing env | Forbidden | Errors |
|---|---|---|---|---|
dev |
5 | 2 | 0 | 0 |
preprod |
2 | 1 | 0 | 0 |
prod |
2 | 0 | 1 | 0 |
Repos with writes > 0, aggregated across all environments; "Unique destination keys" counts distinct destination items written.
| Repo | Envs | Written | Unique destination keys |
|---|---|---|---|
payments-api |
2 | 4 | 4 |
web-portal |
1 | 3 | 3 |
platform-worker |
1 | 2 | 2 |
shared-infra |
1 | 2 | 2 |
Per repo/environment breakdown for destinations where at least one secret write occurred.
| Repo | Env | Written | Unchanged | Skipped | Failed | Notes |
|---|---|---|---|---|---|---|
payments-api |
dev |
3 | 1 | 0 | 0 | |
payments-api |
prod |
1 | 0 | 0 | 0 | |
web-portal |
dev |
3 | 0 | 1 | 0 | |
platform-worker |
preprod |
2 | 1 | 0 | 0 | |
shared-infra |
dev |
2 | 0 | 0 | 1 |
Repo/environment targets where all planned destinations were unchanged (no writes).
| Repo | Env | Written | Unchanged | Skipped | Failed | Notes |
|---|---|---|---|---|---|---|
docs-site |
dev |
0 | 2 | 0 | 0 |
Repo/environment targets that were skipped due to policy, validation, or routing outcomes.
| Repo | Env | Written | Unchanged | Skipped | Failed | Notes |
|---|---|---|---|---|---|---|
legacy-service |
prod |
0 | 0 | 1 | 0 | TAG_INVALID_ROUTE |
web-portal |
prod |
0 | 0 | 1 | 0 | ROUTING_CONFLICT |
Repo/environment targets that could not be accessed due to permission/authorisation failures.
| Repo | Env | Written | Unchanged | Skipped | Failed | Notes |
|---|---|---|---|---|---|---|
finance-api |
prod |
0 | 0 | 0 | 1 | endpoint=/repos/example-org/finance-api/environments/prod/secrets/public-key |
Repo/environment targets where the required environment does not exist; these are not written.
| Repo | Env | Written | Unchanged | Skipped | Failed | Notes |
|---|---|---|---|---|---|---|
sandbox-app |
dev |
0 | 0 | 1 | 0 | environment missing |
demo-site |
preprod |
0 | 0 | 1 | 0 | environment missing |
secret-sync --config config.yaml --report-file secretsync-report.json --log-decisions --log-level INFO