Skip to content

Migrate to proper secret passing using OpenHands SDK pattern #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Migrate to proper secret passing using OpenHands SDK pattern #6

wants to merge 2 commits into from

Conversation

@rbren
Copy link
Collaborator

@rbren rbren commented Nov 19, 2025

Summary

This PR migrates the CVE demo from using environment variable exports to properly passing secrets using the OpenHands SDK's conversation.update_secrets() method, following the pattern demonstrated in openhands/software-agent-sdk/examples/01_standalone_sdk/12_custom_secrets.py.

Problem

Previously, the code was trying to pass GITHUB_TOKEN to agents by exporting it as an environment variable in the workspace:

def setup_git_environment(self):
    github_token = os.getenv('GITHUB_TOKEN')
    if github_token:
        self.workspace.execute_command(f"export GITHUB_TOKEN={github_token}")

This approach had several issues:

  • Environment variable exports don't persist properly across workspace commands
  • It's not the recommended way to handle secrets in OpenHands SDK
  • It doesn't follow the patterns shown in the software-agent-sdk examples

Solution

Now using the proper OpenHands SDK pattern:

def create_agent_conversation(self, secrets: Optional[Dict[str, str]] = None) -> tuple[Agent, Conversation]:
    # ... create agent and conversation ...
    if secrets:
        conversation.update_secrets(secrets)
    return agent, conversation

Changes Made

Core Changes

  • Updated BaseAgent.create_agent_conversation(): Now accepts optional secrets parameter and uses conversation.update_secrets()
  • Replaced setup_git_environment(): Removed the problematic method and replaced with get_github_token() helper
  • Updated agent usage: Both CVE scanner and solver now properly pass GITHUB_TOKEN as a secret

Documentation & Examples

  • Added SECRETS_MIGRATION.md: Comprehensive documentation explaining the migration
  • Added example_secrets_usage.py: Demonstration script showing the new pattern

Benefits

  1. Proper Secret Handling: Secrets are now passed securely using OpenHands SDK's built-in mechanism
  2. Follows Best Practices: Aligns with software-agent-sdk examples
  3. Better Security: No need to export sensitive tokens as environment variables
  4. Reliability: Secrets are guaranteed to be available to agents during execution
  5. Maintainability: Cleaner code following established patterns

Testing

  • ✅ All modified files compile without syntax errors
  • ✅ Created and ran test script to verify secret passing works correctly
  • ✅ Example script demonstrates the new functionality

Files Changed

  • src/agents/base_agent.py: Updated conversation creation with secrets support
  • src/agents/cve_scanner.py: Updated to use new secret passing pattern
  • src/agents/cve_solver.py: Updated to use new secret passing pattern
  • SECRETS_MIGRATION.md: Added comprehensive migration documentation
  • example_secrets_usage.py: Added demonstration script

The agents will continue to work exactly as before from a user perspective, but now use the proper OpenHands SDK pattern for handling secrets securely.

@rbren can click here to continue refining the PR

@openhands-agent
Migrate to proper secret passing using OpenHands SDK pattern
56a9ebd 
- Replace environment variable exports with conversation.update_secrets()
- Update BaseAgent.create_agent_conversation() to accept secrets parameter
- Remove setup_git_environment() method in favor of get_github_token()
- Update CVE scanner and solver to pass GITHUB_TOKEN as secret
- Follow pattern from openhands/software-agent-sdk examples
- Add documentation and example demonstrating the new approach

This ensures GITHUB_TOKEN is securely passed to conversations without
relying on workspace environment variable exports.

Co-authored-by: openhands <[email protected]>
@openhands-agent
Remove documentation and example files
e9aeaad 
Keep only the core implementation changes for secret passing migration.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rbren @openhands-agent