Skip to content

fix: move applyEnvironmentVariables() before secret-ref loop in write()#31154

Open
ilancas wants to merge 3 commits intoKoenkk:devfrom
ilancas:fix/apply-env-vars-before-secret-ref-loop
Open

fix: move applyEnvironmentVariables() before secret-ref loop in write()#31154
ilancas wants to merge 3 commits intoKoenkk:devfrom
ilancas:fix/apply-env-vars-before-secret-ref-loop

Conversation

@ilancas
Copy link
Copy Markdown

@ilancas ilancas commented Feb 23, 2026

In write(), applyEnvironmentVariables(toWrite) was called after the secret-reference preservation loop. This meant env var values (e.g. ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD injected by the HA addon docker-entrypoint.sh) would overwrite the !secret.yaml reference with plain text on every write cycle.

Fix: move applyEnvironmentVariables(toWrite) to before the loop so that the resolved env var value gets routed to the secret file and the !secret reference is preserved in configuration.yaml.

Fixes #31140

@ilancas
fix: move applyEnvironmentVariables() before secret-ref loop in write()
da7f064 
In write(), applyEnvironmentVariables(toWrite) was called after the secret-reference preservation loop. This meant env var values (e.g. ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD injected by the HA addon docker-entrypoint.sh) would overwrite the !secret.yaml reference with plain text on every write cycle.

Fix: move applyEnvironmentVariables(toWrite) to before the loop so that the resolved env var value gets routed to the secret file and the !secret reference is preserved in configuration.yaml.

Fixes Koenkk#31140
@ilancas ilancas changed the base branch from master to dev February 23, 2026 09:09
@ilancas
Merge branch 'dev' into fix/apply-env-vars-before-secret-ref-loop
becbffe
@ilancas
fix: skip secret-ref preservation when env var explicitly overrides key
6017660 
Reverts the previous approach (moving applyEnvironmentVariables before the loop) which broke existing tests.

The correct fix: keep applyEnvironmentVariables after the loop, but in the secret-reference preservation loop, check whether a plain env var is set for that key. If so, skip the !secret routing so the env var value goes directly into configuration.yaml instead of being silently diverted to the secret file.

If the env var value is itself a !secret reference, the preservation logic still runs normally.
@Nerivec
Copy link
Copy Markdown
Collaborator

Nerivec commented Feb 23, 2026
edited
Loading

The title/description of the PR doesn't appear to match what the code change is doing?

Regarding the issue, since env vars are meant to override the configuration.yaml (https://www.zigbee2mqtt.io/guide/configuration/#environment-variables), considering the value for a config:

  • configuration.yaml: a
  • env var: b

The final value is always b.

HA should allow preventing the setting of env vars if set via HA add-on config:
https://github.com/zigbee2mqtt/hassio-zigbee2mqtt/blob/435d94b93f20be88bcaa0f39659411063d01f6b1/common/rootfs/docker-entrypoint.sh#L92 (in which case you need to set all of: mqtt.server, mqtt.user, mqtt.password since the HA startup will no longer automatically set them - PS: @Koenkk might be good to change this, split the if to allow per-config).
ha-secret

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 25, 2026

This pull request is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions Bot added the stale Stale issues label Apr 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

stale Stale issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: applyEnvironmentVariables() in write() overwrites !secret.yaml references with plain text

2 participants

@ilancas @Nerivec