Runtime output is an opt-in contract for workflows and deployments that need structured evidence of the worker runtime configuration.
Set WORKER_RUNTIME_OUTPUT=true to emit redacted runtime JSON on stdout. In this mode the entrypoint sends setup logs, process-manager logs, and command output to stderr so stdout remains reserved for the JSON contract. The worker still continues normal runtime execution.
Use this when you need to:
- Capture resolved non-secret runtime env values in CI.
- Upload a runtime evidence artifact before release.
- Inspect which config paths were used by the container.
- Confirm which env names were intentionally redacted.
The JSON output contains:
generated_at: UTC timestamp for the emitted contract.paths.worker_config:worker.yamlpath selected by the entrypoint.paths.services_config:services.yamlpath selected by the entrypoint.paths.environment: generated worker environment file path.env: resolved non-secret environment variables.redacted: environment variable names omitted because they are configured as secrets or secret references.
Secrets and secret references are not printed in env. Their names appear in redacted instead.
docker run \
-e WORKER_RUNTIME_OUTPUT=true \
usabilitydynamics/udx-worker:latest > runtime-output/runtime.jsonUse a short command when the workflow only needs the contract and should exit after capture.
docker run --rm \
-e WORKER_RUNTIME_OUTPUT=true \
usabilitydynamics/udx-worker:latest \
true > runtime-output/runtime.jsonjq -e '.env | type == "object"' runtime-output/runtime.json
jq -e '.redacted | type == "array"' runtime-output/runtime.jsonWorkflow-specific outputs such as $GITHUB_OUTPUT, $GITHUB_STEP_SUMMARY, uploaded artifacts, or platform annotations should be generated by the workflow from this JSON file.
docs/config.mddocs/deployment.mddocs/secrets.md