#'secret xxh3:59e1941a8d2a4c76: not found' when chaining functions

I'm attempting to run a v0.11.9 module in v0.12.1, and get the same output in v0.12.2. I have two simple function which were chaining fine:

Abridged for conciseness.

func (m *Terraform) New(ctx context.Context,
    // Source
    source *Directory,
    // Base Container
    // +optional
    baseCtr *Container,
) (*Terraform, error) {
    if baseCtr == nil {
        baseCtr = m.BaseContainer()
    }

    baseCtr = baseCtr.
        WithDirectory(WorkspacePath, source,
            ContainerWithDirectoryOpts{
                Exclude: []string{ExcludeDirs},
            }).
        WithWorkdir(WorkspacePath)

    m.Ctr, err = baseCtr.Sync(ctx)
    if err != nil {
        m.Error = err.Error()
        m.GateStrikes++
    }
    return m, err
}

func (m *Terraform) Format(ctx context.Context) (*Terraform, error) {
    var err error = nil

    tfCmd := []string{
        "terraform",
        "fmt",
        "-check",
        "-recursive",
        "-diff",
    }

    ctr, err := m.Ctr.
        WithExec(tfCmd,
            ContainerWithExecOpts{
                SkipEntrypoint: true,
                RedirectStdout: WorkspacePath + "/.tfformat.txt",
            }).
        Sync(ctx)
    if err != nil {
        m.Error = err.Error()
        m.GateStrikes++
    }

    m.TfFmt, err = ctr.Stdout(ctx)
    if err != nil {
        m.Error = err.Error()
        m.GateStrikes++
    }

    m.Ctr = ctr

    return m, nil
}

And a separate function called Container which would just return m.Ctr which I could then pass to terminal from the command line. I.E. dagger -m ~/repos/daggerverse/terraform call -vvv new --source=. format container terminal -- New uses WithSecretVariable to read some specified secrets, I've just removed it here for post size.

This all worked in v0.11.9 with matching CLI, but if I try to use v0.12.x CLI I get:

! process "/runtime" did not complete successfully: exit code: 2
  ✔ Container.withSecretVariable(
      name: "ARM_TENANT_ID"
      secret: ✔ setSecret(name: "ARM_TENANT_ID"): Secret! 0.0s
    ): Container! 0.0s
    ✔ secret(accessor: "--snip--", name: "ARM_TENANT_ID"): Secret! 0.0s
  ✔ Container.withSecretVariable(
      name: "ARM_SUBSCRIPTION_ID"
      secret: ✔ setSecret(name: "ARM_SUBSCRIPTION_ID"): Secret! 0.0s
    ): Container! 0.0s
    ✔ secret(accessor: "--snip--", name: "ARM_SUBSCRIPTION_ID"): Secret! 0.0s
--snip--
  ✔ Container.withFile(
      path: "/root/.ssh/id_rsa"
      permissions: 384
      source: ✔ Host.file(path: "/Users/--snip--/.ssh/id_rsa"): File! 0.0s
    ): Container! 0.0s
  ✔ Container.withFile(
      path: "/root/.ssh/known_hosts"
      permissions: 384
      source: ✔ Host.file(path: "/Users/--snip--/.ssh/known_hosts"): File! 0.0s
    ): Container! 0.0s
  ✘ Container.withExec(args: ["terraform", "fmt", "-check", "-recursive", "-diff"], redirectStdout: "/workspace/.tfformat.txt", skipEntrypoint: true): Container! 0.0s
    ✘ exec terraform fmt -check -recursive -diff 0.0s
    ! secret xxh3:59e1941a8d2a4c76: not found
  ✘ Container.sync: ContainerID! 0.0s
  ! secret xxh3:59e1941a8d2a4c76: not found

Error: invalid selection for command "terminal": response from query: input: terraform.new.format resolve: call function "Format": process "/runtime" did not complete successfully: exit code: 2

Stderr:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0x92e0dc]

I'm blocked from upgrading dagger-engine, CLI, and my private Daggerverse modules in production pipelines. Any help would be much appreciated. 😭

Hmmm there were changes in v0.12.1 that plugged some holes in secrets to prevent cases where modules could access each others secrets, which is based on tracking the secrets that were explicitly provided to a given function call.

But I think I may have missed the case where a Secret gets set in a Container that's set in a struct field (it only tracks arg values to a given function call) and passed that way through to chained function calls.

I'll go confirm that's the case. If so, A) sorry about missing that case! and B) we'll get it fixed in the next patch release (v0.12.3). You'd be able to workaround in the meantime by explicitly passing the secrets as args to each function call that needs them, but realize that's super annoying so may just want to wait for the fix.

Okay yeah confirmed that's the issue: https://github.com/dagger/dagger/issues/8010

Thank you for reporting! Will fix asap

Perfect. Yes I call a function in a different dependency module, which takes dotenv formatted input and sets secrets on the container.

Thanks for the super-fast response!

No problem! Fix is in PR: https://github.com/dagger/dagger/pull/8011

We'll likely do another patch release next week at the latest unless something comes up

We just released v0.12.3, should be fixed there. Let me know if you're able to successfully upgrade now!