feat: auto-ARN secret resolution and job lifecycle notify functions#146
Merged
Merged
Conversation
- resolve_secret now auto-detects {env_var}_ARN as a fallback when the env var is empty and no explicit ARN is passed (e.g. WRENCH_SERVICE_SECRET_ARN). This fixes silent notification failures across all services that use the ARN-only secret pattern.
- New _notify.py module adds job_register, job_update, job_close — three fire-and-forget wrappers over the AiAxis job lifecycle endpoints with the same never-raise contract as slack_post.
- All three functions exported from WrenchCL.Wrench for use in FeatureForge, elt-api-requester, model-input-builder and other Wrench services.
- Comprehensive test coverage: 8 tests for auto-ARN fallback behaviour, 39 tests for the three notify functions, all passing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
resolve_secretnow auto-detects{env_var}_ARNas a fallback when the env var is empty and no explicit ARN is passed. This fixes silent notification failures across all services that use the ARN-only secret pattern (WRENCH_SERVICE_SECRET_ARNset,WRENCH_SERVICE_SECRETunset)._notify.pymodule addsjob_register,job_update,job_close— thin wrappers over the AiAxis job lifecycle endpoints. Same fire-and-forget / never-raise contract asslack_post.WrenchCL.Wrench.Root cause this fixes
Services deploy with only
WRENCH_SERVICE_SECRET_ARNset (no plaintext — correct, because the secret rotates every 4 hours).WrenchCL.slack_postcalledresolve_secretwith only the env var name, got an empty string, and silently returned False without ever checking the_ARNenv var. Result: 0 Slack notifications across all services since the v6 rollout June 8.No breaking changes
Priority order for existing callers is unchanged: direct value > env var > auto-ARN > explicit ARN. Callers that pass an explicit
secret_arnare unaffected.Sales impact
Job progress notifications and Slack alerts now work correctly for all services regardless of whether the service secret is injected as a plaintext env var or an ARN reference.