Add --push-secrets option to exec for pushing .env files

[anatoly-pashin-axon21]

This is meant to replace #1223: as it was mentioned in the discussion, a flag might be a better option.

[djmb]

Thanks for the PR @anatoly-pashin-axon21.

I think we need a couple of changes here:

1. We should also allow --push_secrets for the interactive app exec.
2. We should raise an exception if --push_secrets is combined with --reuse

[anatoly-pashin-axon21]

@djmb the comments are addressed, please review again

[anatoly-pashin-axon21]

Hi @djmb, is there anything I can do to help get this included in a release?

[Copilot]

Pull request overview

Adds an opt-in --push-secrets flag to kamal app exec so operators can push the role env files to target servers immediately before running an exec command, ensuring secrets are available in the ephemeral container when needed.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Changes:

• Add --push-secrets boolean option to kamal app exec that uploads role env files before running docker run.
• Reject the unsupported combination --push-secrets + --reuse.
• Add CLI tests covering --push-secrets behavior for normal, primary-only, interactive, and incompatible --reuse usage.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
lib/kamal/cli/app.rb	Implements --push-secrets flag and env-file upload flow (and blocks it with --reuse).
test/cli/app_test.rb	Adds coverage for exec with/without --push-secrets, including interactive mode and the --reuse incompatibility.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.