udx · fqjony · Dec 1, 2025 · Dec 1, 2025 · Dec 1, 2025 · Dec 1, 2025
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Install ShellCheck
         run: sudo apt-get install -y shellcheck
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Install hadolint
         run: |
@@ -45,7 +45,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Install yamllint
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -131,7 +131,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

diff --git a/Dockerfile b/Dockerfile
@@ -50,8 +50,8 @@ RUN apt-get update && \
     unzip=6.0-28ubuntu6 \
     nano=8.3-1 \
     vim=2:9.1.0967-1ubuntu4.1 \
-    python3.13=3.13.3-1ubuntu0.3 \
-    python3.13-venv=3.13.3-1ubuntu0.3 \
+    python3.13=3.13.3-1ubuntu0.4 \
+    python3.13-venv=3.13.3-1ubuntu0.4 \
     python3-pip=25.0+dfsg-1ubuntu0.2 \
     supervisor=4.2.5-3 && \
     # Install Azure CLI in venv with optimizations for scanning
@@ -76,16 +76,16 @@ RUN echo $TZ > /etc/timezone && \
 # Install yq (architecture-aware)
 RUN ARCH=$(uname -m) && \
     if [ "$ARCH" = "x86_64" ]; then ARCH="amd64"; elif [ "$ARCH" = "aarch64" ]; then ARCH="arm64"; fi && \
-    curl -sL https://github.com/mikefarah/yq/releases/download/v4.48.2/yq_linux_${ARCH}.tar.gz | tar xz && \
+    curl -sL https://github.com/mikefarah/yq/releases/download/v4.49.2/yq_linux_${ARCH}.tar.gz | tar xz && \
     mv yq_linux_${ARCH} /usr/bin/yq && \
     rm -rf /tmp/*
 
 # Install Google Cloud SDK (architecture-aware)
 RUN ARCH=$(uname -m) && \
     if [ "$ARCH" = "x86_64" ]; then \
-    curl -sSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-547.0.0-linux-x86_64.tar.gz" -o google-cloud-sdk.tar.gz; \
+    curl -sSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-548.0.0-linux-x86_64.tar.gz" -o google-cloud-sdk.tar.gz; \
     elif [ "$ARCH" = "aarch64" ]; then \
-    curl -sSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-547.0.0-linux-arm.tar.gz" -o google-cloud-sdk.tar.gz; \
+    curl -sSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-548.0.0-linux-arm.tar.gz" -o google-cloud-sdk.tar.gz; \
     fi && \
     tar -xzf google-cloud-sdk.tar.gz && \
     ./google-cloud-sdk/install.sh -q && \

diff --git a/deploy.yml b/deploy.yml
@@ -0,0 +1,27 @@
+# npm install -g @udx/worker-deployment
+# gcloud auth login
+# gcloud auth application-default login
+# worker-run
+
+---
+kind: workerDeployConfig
+version: udx.io/worker-v1/deploy
+config:
+  # Docker image
+  image: "usabilitydynamics/udx-worker:latest"
+
+  env:
+    TEST_ENV_SECRET: "gcp/rabbit-ci-dev/worker-secret-test"
+
+  # Mount volumes
+  # volumes:
+  #   - "./worker.yaml:/home/udx/.config/worker/worker.yaml"
+
+  # ports:
+  #   - "80:80"
+
+  # Command to run
+  # command: "/usr/local/bin/init.sh"
+
+  service_account:
+    email: "worker-site@rabbit-ci-dev.iam.gserviceaccount.com"
diff --git a/docs/config.md b/docs/config.md
@@ -3,6 +3,7 @@
 ## Overview
 
 The UDX Worker uses `worker.yaml` as its primary configuration file, allowing you to:
+
 - Define environment variables
 - Reference secrets from various providers
 - Configure worker behavior
@@ -15,12 +16,12 @@ The UDX Worker uses `worker.yaml` as its primary configuration file, allowing yo
 
 ## Configuration Structure
 
-| Section | Purpose | Required |
-|---------|----------|----------|
-| `kind` | Configuration type identifier | Yes |
-| `version` | Schema version | Yes |
-| `config.env` | Environment variables | No |
-| `config.secrets` | Secret references | No |
+| Section          | Purpose                       | Required |
+| ---------------- | ----------------------------- | -------- |
+| `kind`           | Configuration type identifier | Yes      |
+| `version`        | Schema version                | Yes      |
+| `config.env`     | Environment variables         | No       |
+| `config.secrets` | Secret references             | No       |
 
 ## Basic Example
 
@@ -72,33 +73,61 @@ secrets:
 
 ## Environment Variables
 
+Environment variables can be defined in two ways:
+
+### 1. Direct Values
+
 ```yaml
 config:
   env:
     # Cloud Provider Settings
     AZURE_TENANT_ID: "tenant-id"
     AWS_REGION: "us-west-2"
     GCP_PROJECT: "my-project"
-    
+
     # Application Settings
     LOG_LEVEL: "info"
     MAX_WORKERS: "5"
     ENABLE_METRICS: "true"
 ```
 
+### 2. Secret References
+
+Environment variables can also reference secrets using the same provider format as the `secrets` section:
+
+```yaml
+config:
+  env:
+    # Reference secrets directly in env variables
+    DATABASE_URL: "gcp/my-project/db-connection-string"
+    API_TOKEN: "azure/kv-prod/api-token"
+    AWS_SECRET_KEY: "aws/prod/secret-access-key"
+    VAULT_PASSWORD: "bitwarden/prod/vault-pass"
+
+    # Mix with regular values
+    LOG_LEVEL: "info"
+```
+
+The worker will automatically detect secret references (format: `provider/vault/secret`) in environment variables and resolve them at runtime.
+
 ## Best Practices
 
 1. **Secret Management**
-   - Never store sensitive values directly in `env`
-   - Use `secrets` section for sensitive data
-   - Reference secrets from appropriate providers
+
+   - Never store sensitive values as plain text
+   - Use either `config.secrets` section OR secret references in `config.env`
+   - Both methods support the same provider format: `provider/vault/secret`
+   - Choose based on your preference:
+     - `config.secrets`: Explicit separation of secrets
+     - `config.env` with references: Unified configuration
 
 2. **Environment Variables**
-   - Use `env` for non-sensitive configuration
+
+   - Use `env` for non-sensitive configuration OR secret references
    - Keep values consistent across environments
    - Document any required variables
 
 3. **File Handling**
    - Keep configuration in version control (without sensitive data)
    - Use different files for different environments
-   - Validate configuration before deployment
+   - Validate configuration before deployment
diff --git a/lib/environment.sh b/lib/environment.sh
@@ -66,6 +66,13 @@ configure_environment() {
         log_info "No secrets defined in the configuration."
     fi
 
+    # Fetch secrets from environment variables with provider prefixes
+    log_info "Checking for secret references in environment variables..."
+    if ! fetch_secrets_from_env_vars; then
+        log_error "Environment" "Failed to fetch secrets from environment variables."
+        return 1
+    fi
+
     # Perform cleanup
     log_info "Cleaning up sensitive data..."
     if ! cleanup_actors; then