Skip to content

Root build fails when secrets include a symlink to a dependency asset #402

New issue
New issue
Closed
Closed
Root build fails when secrets include a symlink to a dependency asset#402
Assignees
somesocks
Labels
Type: BugSomething isn't working as expected
@somesocks

Description

@somesocks
somesocks
opened on Feb 2, 2026

Description

When a root has a symlink under dyd/secrets that points into a dependency (e.g. dyd/secrets/.sops.yaml -> ../dependencies/policies/dyd/assets/common.sops.yaml), dryad root build fails during
fingerprint generation with “error generating root fingerprint”.

Reproduction

  1. Create a root with a dependency.
  2. Add a symlink in dyd/secrets pointing to an asset in dyd/dependencies/<dep>/dyd/assets/....
  3. Run dryad root build <root>.

Observed

Build fails at root fingerprint stage. In logs: error generating root fingerprint.

Expected

Build succeeds. Secrets symlink should be preserved (or handled consistently with assets).

Notes

This appears to be caused by SecretsWalk using fs2.Walk, which eagerly resolves symlinks via filepath.EvalSymlinks against the source root, where dyd/dependencies doesn’t exist. This makes secrets
fingerprinting fail before the build completes.

Metadata

Metadata

Assignees

Labels

Type: BugSomething isn't working as expected

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions