jdevera · jdevera · May 17, 2026 · May 17, 2026 · May 17, 2026 · May 17, 2026
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -7,9 +7,6 @@ on:
   pull_request:
     branches: [ 'main', 'v*.*.*', 'remote-registry' ]
 
-env:
-  CDT_VAULT_SECRET: very_secret
-
 jobs:
   build:
     runs-on: ${{ matrix.os }}

diff --git a/cmd/consent/consent_test.go b/cmd/consent/consent_test.go
@@ -9,7 +9,8 @@ import (
 
 func TestAccessConsents(t *testing.T) {
 	// TODO: we shouldn't let the secret lib depends on the context
-	context.InitContext("test-vault", "1.0.0", "1")
+	ctx := context.InitContext("testconsent", "1.0.0", "1")
+	t.Setenv(ctx.VaultSecretEnvVar(), "very_secret")
 
 	err := saveCmdConsents("dev-group", "test-cmd", []string{
 		"USERNAME", "PASSWORD", "LOG_LEVEL",

diff --git a/internal/context/context.go b/internal/context/context.go
@@ -29,6 +29,10 @@ type LauncherContext interface {
 
 	FullCmdNameEnvVar() string
 
+	VaultSecretEnvVar() string
+
+	VaultSecretFileEnvVar() string
+
 	/* General function to get a environment variable name with prefix conventions */
 	EnvVarName(name string) string
 }
diff --git a/internal/context/default-context.go b/internal/context/default-context.go
@@ -86,6 +86,14 @@ func (ctx *defaultContext) FullCmdNameEnvVar() string {
 	return ctx.EnvVarName("FULL_COMMAND_NAME")
 }
 
+func (ctx *defaultContext) VaultSecretEnvVar() string {
+	return ctx.EnvVarName("VAULT_SECRET")
+}
+
+func (ctx *defaultContext) VaultSecretFileEnvVar() string {
+	return ctx.EnvVarName("VAULT_SECRET_FILE")
+}
+
 func (ctx *defaultContext) EnvVarName(name string) string {
 	return fmt.Sprintf("%s_%s", ctx.prefix(), name)
 }

diff --git a/internal/gvault/file-vault.go b/internal/gvault/file-vault.go
@@ -11,6 +11,8 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+
+	"github.com/jdevera/command-launcher/internal/context"
 )
 
 type Dico map[string]string
@@ -153,8 +155,13 @@ func (fv *FileVault) encrypt(data []byte) ([]byte, error) {
 }
 
 func readSecret() ([]byte, error) {
+	ctx, err := context.AppContext()
+	if err != nil {
+		return []byte{}, err
+	}
+
 	// first get the secret from environment variable
-	secret := os.Getenv("CDT_VAULT_SECRET")
+	secret := os.Getenv(ctx.VaultSecretEnvVar())
 	if secret != "" {
 		hash := sha256.Sum256([]byte(secret))
 		return hash[:], nil
@@ -173,7 +180,7 @@ func readSecret() ([]byte, error) {
 	}
 
 	// get the secret file from environment variable
-	secretFile := os.Getenv("CDT_VAULT_SECRET_FILE")
+	secretFile := os.Getenv(ctx.VaultSecretFileEnvVar())
 	if secretFile == "" {
 		secretFile = filepath.Join(sshDir, "id_rsa")
 	}

diff --git a/internal/gvault/file-vault_test.go b/internal/gvault/file-vault_test.go
@@ -3,10 +3,18 @@ package vault
 import (
 	"fmt"
 	"testing"
+
+	"github.com/jdevera/command-launcher/internal/context"
 )
 
+func init() {
+	context.InitContext("testvault", "1.0.0", "1")
+}
+
+const vaultSecretEnv = "TESTVAULT_VAULT_SECRET"
+
 func TestVault_Init(t *testing.T) {
-	t.Setenv("CDT_VAULT_SECRET", "very_secret")
+	t.Setenv(vaultSecretEnv, "very_secret")
 
 	_, err := CreateVault("unit-test")
 	if err != nil {
@@ -15,7 +23,7 @@ func TestVault_Init(t *testing.T) {
 }
 
 func TestVault_WriteRead(t *testing.T) {
-	t.Setenv("CDT_VAULT_SECRET", "very_secret")
+	t.Setenv(vaultSecretEnv, "very_secret")
 
 	fv, err := CreateVault("unit-test")
 	if err != nil {
@@ -38,7 +46,7 @@ func TestVault_WriteRead(t *testing.T) {
 }
 
 func TestVault_MultiWriteRead(t *testing.T) {
-	t.Setenv("CDT_VAULT_SECRET", "very_secret")
+	t.Setenv(vaultSecretEnv, "very_secret")
 
 	fv, err := CreateVault("unit-test")
 	if err != nil {

diff --git a/internal/helper/debug-flag.go b/internal/helper/debug-flag.go
@@ -3,6 +3,8 @@ package helper
 import (
 	"os"
 	"strings"
+
+	"github.com/jdevera/command-launcher/internal/context"
 )
 
 const (
@@ -13,15 +15,23 @@ const (
 )
 
 type DebugFlags struct {
-	ForceSelfUpdate    bool // Force the self update of the CDT
+	ForceSelfUpdate    bool // Force the self update of the launcher
 	NoMergeStatusCheck bool // do not check merge status when querying merged changes in gerrit
 	ShowCmdExecStdout  bool // always show cmd exec stdout to console
 	UseFileVault       bool // use file vault instead of system vault
 }
 
+func debugFlagsString() string {
+	ctx, err := context.AppContext()
+	if err != nil {
+		return ""
+	}
+	return os.Getenv(ctx.DebugFlagsEnvVar())
+}
+
 // load all debug flags into DebugFlags struct
 func LoadDebugFlags() DebugFlags {
-	flagsString := os.Getenv("CDT_DEBUG_FLAGS")
+	flagsString := debugFlagsString()
 	flags := strings.Split(flagsString, ",")
 	debugFlags := DebugFlags{}
 	for _, flag := range flags {
@@ -41,7 +51,7 @@ func LoadDebugFlags() DebugFlags {
 
 // check if a debug flag exists
 func HasDebugFlag(name string) bool {
-	flagsString := os.Getenv("CDT_DEBUG_FLAGS")
+	flagsString := debugFlagsString()
 	if flagsString == "" {
 		return false
 	}

diff --git a/internal/helper/password.go b/internal/helper/password.go
diff --git a/test/integration.sh b/test/integration.sh
@@ -25,6 +25,9 @@ go build -o $OUTPUT_DIR/cl -ldflags='-X main.version=integration-test -X main.bu
 # specify the app home
 export CL_HOME=$OUTPUT_DIR/home
 
+# unlock the file vault without depending on ~/.ssh existing (CI runners don't have one)
+export CL_VAULT_SECRET=very_secret
+
 if [ $# -ne 0 ]; then
   # in case pass test as arguments, run test from the arguments
   for test in "$@"; do