From e279fa17ed90308ad8f786f44db394253335f007 Mon Sep 17 00:00:00 2001
From: colaberry016 <saitejesh@colaberry.com>
Date: Sat, 23 May 2026 00:13:54 +0530
Subject: [PATCH] fix(ci): include RESEND_API_KEY in wot-api --set-secrets

The deploy-api step's `--set-secrets` flag REPLACES the Cloud Run
service's entire secret set on every deploy. RESEND_API_KEY was added
to wot-api manually (via `gcloud run services update`) after this list
was last written, so it was not in the flag - and the next autodeploy
silently dropped it.

Effect: wot-api lost RESEND_API_KEY on deploy, `default_client()` fell
back to NoopEmailClient, and every magic-link sign-in email was
silently dropped (signup still returns 202). Observed live on revision
wot-api-00112; restored manually as wot-api-00113.

Adds RESEND_API_KEY=RESEND_API_KEY:latest to the list so the secret
survives every autodeploy. The secret already exists in Secret Manager
and the Cloud Run runtime service account already has accessor rights.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cloudbuild.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 6e529c4..f122bee 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -112,7 +112,11 @@ steps:
       - --concurrency=80
       - --timeout=300s
       - --add-cloudsql-instances=${_INSTANCE_CONN}
-      - --set-secrets=DATABASE_URL=DATABASE_URL:latest,JWT_SECRET=JWT_SECRET:latest,REPORT_EMAIL=REPORT_EMAIL:latest,STRIPE_SECRET_KEY=STRIPE_SECRET_KEY:latest,STRIPE_WEBHOOK_SECRET=STRIPE_WEBHOOK_SECRET:latest,STRIPE_PRICE_ID_PRO_MONTHLY=STRIPE_PRICE_ID_PRO_MONTHLY:latest,STRIPE_PRICE_ID_PRO_ANNUAL=STRIPE_PRICE_ID_PRO_ANNUAL:latest,STRIPE_PRICE_ID_PRO_OVERAGE=STRIPE_PRICE_ID_PRO_OVERAGE:latest
+      # --set-secrets REPLACES the service's entire secret set on every
+      # deploy, so it must list every secret wot-api needs - any omission
+      # is silently dropped. RESEND_API_KEY powers magic-link sign-in
+      # email; leaving it off here drops it on the next autodeploy.
+      - --set-secrets=DATABASE_URL=DATABASE_URL:latest,JWT_SECRET=JWT_SECRET:latest,REPORT_EMAIL=REPORT_EMAIL:latest,RESEND_API_KEY=RESEND_API_KEY:latest,STRIPE_SECRET_KEY=STRIPE_SECRET_KEY:latest,STRIPE_WEBHOOK_SECRET=STRIPE_WEBHOOK_SECRET:latest,STRIPE_PRICE_ID_PRO_MONTHLY=STRIPE_PRICE_ID_PRO_MONTHLY:latest,STRIPE_PRICE_ID_PRO_ANNUAL=STRIPE_PRICE_ID_PRO_ANNUAL:latest,STRIPE_PRICE_ID_PRO_OVERAGE=STRIPE_PRICE_ID_PRO_OVERAGE:latest
     waitFor: ['migrate-db']
 
   # --- Frontend (built AFTER backend URL is known) ---