fix(ci): include RESEND_API_KEY in wot-api --set-secrets so autodeploy stops dropping it#240
Merged
Merged
Conversation
The deploy-api step's `--set-secrets` flag REPLACES the Cloud Run service's entire secret set on every deploy. RESEND_API_KEY was added to wot-api manually (via `gcloud run services update`) after this list was last written, so it was not in the flag - and the next autodeploy silently dropped it. Effect: wot-api lost RESEND_API_KEY on deploy, `default_client()` fell back to NoopEmailClient, and every magic-link sign-in email was silently dropped (signup still returns 202). Observed live on revision wot-api-00112; restored manually as wot-api-00113. Adds RESEND_API_KEY=RESEND_API_KEY:latest to the list so the secret survives every autodeploy. The secret already exists in Secret Manager and the Cloud Run runtime service account already has accessor rights. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
deploy-apistep's--set-secretsflag replaces the Cloud Run service's entire secret set on every deploy. Any secret not in that list is silently dropped from the next revision.RESEND_API_KEYwas provisioned onwot-apimanually (gcloud run services update) after this list was last written, so it was never added to the flag. It survived only until the next autodeploy.Impact (observed in production)
When PR #239 was deployed:
wot-main-autodeployrancloudbuild.yaml→--set-secretsrebuilt the secret set withoutRESEND_API_KEY.wot-api-00112came up missing the key.default_client()inworld_of_taxonomy/auth/email.pysaw noRESEND_API_KEY→ fell back toNoopEmailClient./developers/signupstill returns202, so there is no visible error).The key was restored manually as revision
wot-api-00113, but the next autodeploy would drop it again — this PR makes the fix durable.Change
One line — adds
RESEND_API_KEY=RESEND_API_KEY:latestto thedeploy-api--set-secretslist, plus a comment explaining the replace-not-merge semantics so the next secret is not omitted the same way.Safety
RESEND_API_KEYsecret already exists in Secret Manager (colaberry-wot).secretmanager.secretAccessoron it (revisions 00110 / 00111 / 00113 mounted it fine).cloudbuild.yamlparses as valid YAML.Note (not in this PR)
RESEND_SENDERis a plain env var, not a secret — it currently persists across deploys only because thedeploy-apistep has no--set-env-vars. That is fine today but is implicit; worth making explicit later if env handling changes.🤖 Generated with Claude Code