Skip to content

Block deletion of in-use secrets across Single and Multiple revision modes#1101

Draft
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-inconsistent-secret-deletion
Draft

Block deletion of in-use secrets across Single and Multiple revision modes#1101
Copilot wants to merge 3 commits into
mainfrom
copilot/fix-inconsistent-secret-deletion

Conversation

Copilot AI commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Secret deletion behavior was inconsistent across revision modes: Multiple mode could block deletion when an active revision referenced the secret, while Single mode could allow deletion and leave dangling secretRef dependencies. This change makes deletion validation mode-consistent by detecting secret consumers before update and blocking with actionable usage details.

  • Dependency-aware delete gate

    • Added pre-delete reference discovery in deleteSecret flow.
    • Deletion is blocked when the target secret is referenced by:
      • template.scale.rules[*].azureQueue.auth[*].secretRef
      • active revision templates (Multiple mode)
      • current template (Single mode)
      • container env vars: containers[*].env[*].secretRef
      • registry credentials: configuration.registries[*].passwordSecretRef
    • Error message now lists concrete usage locations (revision/rule/container/env/registry) to guide remediation.

  • User messaging alignment

    • Updated delete confirmation text to reflect enforced dependency blocking.
    • Removed wording that implied deletion could proceed and fail only later at restart time.

  • Targeted coverage

    • Added focused tests for:
      • Single mode referenced secret → blocked path (reference discovered)
      • Multiple mode referenced secret (active revision) → blocked path
      • Unreferenced secret → delete path remains allowed
const references = getSecretReferenceLocations(secretName, containerAppEnvelope, {
  activeRevisions: revisions, // filtered to active in helper
  includeCurrentTemplate: containerApp.revisionsMode === KnownActiveRevisionsMode.Single
});

if (references.length) {
  throw new Error(
    `Cannot delete secret "${secretName}" because it is referenced by: ${references.join(', ')}.`
  );
}

Copilot AI changed the title [WIP] Fix inconsistent behavior when deleting secret in Azure Queue scale rule Block deletion of in-use secrets across Single and Multiple revision modes Jun 17, 2026
Copilot AI requested a review from nturinski June 17, 2026 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nturinski nturinski Awaiting requested review from nturinski

At least 1 approving review is required to merge this pull request.

Assignees

@nturinski nturinski

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nturinski