EnsureRightLabelOnSecret: dual label support for workflow_owner and org_id

[prashantkumar1982]

Summary

• Update EnsureRightLabelOnSecret to accept explicit workflowOwner and orgID parameters, supporting dual label encoding: ETH address (left-padded) for legacy secrets and SHA256(org_id) for new secrets. Either parameter can be empty to skip that check.
• Centralize all label-related utilities in core/capabilities/vault/vaultutils/labels.go: OwnerToLabel, EncryptSecretWithWorkflowOwner, EncryptSecretWithOrgID.
• Update all callers (validator.go, plugin.go, system-tests vault.go) to use the new signature and shared utilities.
• Add comprehensive unit tests for EnsureRightLabelOnSecret and OwnerToLabel covering dual-label matching, backward compat, error cases, and migration scenarios.

Context

Part of the JWT-based authorization work for Vault. This PR is standalone with no behavior change — existing callers pass "" for orgID, preserving current behavior. The orgID parameter will be wired in by a later PR (plugin changes + final wiring).

[github-actions]

👋 prashantkumar1982, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[cedric-cordenier]

I would consider adding a version bit going forward
That way we can just check this first and then if it's present we'll know it's an org; if not we know it has to be an address

[cl-sonarqube-production]

Quality Gate failed

Failed conditions
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube IDE

[trunk-io]

     

Failed Test	Failure Summary	Logs
TestPlugin_Observation_GetSecretsRequest_PublicKeyIsInvalid	The test failed because the secret label did not match the expected owner labels, indicating an invalid public key or label mismatch.	Logs ↗︎
TestPlugin_Observation_GetSecretsRequest_FillsInNamespace	The test failed because the secret label did not match the expected owner label, causing the secret verification to fail.	Logs ↗︎
TestPlugin_Observation_CreateSecretsRequest_Success	The test failed because secret label verification did not match any of the provided owner labels.	Logs ↗︎

View Full Report ↗︎ ⋅ Docs