NewDefaultProvider creates a provider chain with OS env, run secrets, credential helper (if configured), Docker Desktop, pass, and keychain providers. The whole chain is wrapped so that values shaped like "op://..." are resolved as 1Password secret references through the `op` CLI. When running insi
()
| 14 | // [SandboxTokenProvider] is prepended so that DOCKER_TOKEN is read from the |
| 15 | // JSON file written by the host-side token writer. |
| 16 | func NewDefaultProvider() Provider { |
| 17 | var providers []Provider |
| 18 | |
| 19 | // Inside a sandbox the Docker Desktop backend API is unreachable and |
| 20 | // any DOCKER_TOKEN env var is a stale one-shot value. |
| 21 | // Workaround: Prepend a file-based provider that reads the continuously-refreshed token. |
| 22 | // The host writes the token file into the config directory (mounted read-only |
| 23 | // into the sandbox), so we must read from GetConfigDir — not GetDataDir. |
| 24 | if InSandbox() { |
| 25 | providers = append(providers, |
| 26 | NewSandboxTokenProvider(SandboxTokensFilePath(paths.GetConfigDir())), |
| 27 | ) |
| 28 | } |
| 29 | |
| 30 | providers = append(providers, |
| 31 | NewOsEnvProvider(), |
| 32 | NewRunSecretsProvider(), |
| 33 | ) |
| 34 | |
| 35 | // Add credential helper provider if configured |
| 36 | if cfg, err := userconfig.Load(); err == nil && cfg.CredentialHelper != nil && cfg.CredentialHelper.Command != "" { |
| 37 | providers = append(providers, NewCredentialHelperProvider(cfg.CredentialHelper.Command, cfg.CredentialHelper.Args...)) |
| 38 | } |
| 39 | |
| 40 | // Docker Desktop provider comes after credential helper |
| 41 | providers = append(providers, NewDockerDesktopProvider()) |
| 42 | |
| 43 | // Append pass provider at the end if available |
| 44 | if passProvider, err := NewPassProvider(); err == nil { |
| 45 | providers = append(providers, passProvider) |
| 46 | } |
| 47 | |
| 48 | // Append keychain provider if available |
| 49 | if keychainProvider, err := NewKeychainProvider(); err == nil { |
| 50 | providers = append(providers, keychainProvider) |
| 51 | } |
| 52 | |
| 53 | // Resolve any "op://" secret references through the 1Password CLI, |
| 54 | // regardless of which provider returned the value. |
| 55 | return NewOnePasswordProvider(NewMultiProvider(providers...)) |
| 56 | } |
no test coverage detected