fix: For security reasons, move deploy secrets to Google Cloud Secret Manager

Author: anth-volk

.github/scripts/deploy-app-engine.sh

@@ -23,6 +23,7 @@ echo "Image: $IMAGE_NAME:$IMAGE_TAG"
 echo "Version: $IMAGE_TAG"
 echo "Service Account: $SERVICE_ACCOUNT"
 echo "App YAML: $APP_YAML_PATH"
+echo "Environment Variables: Will be loaded from Secret Manager via app.yaml"
 
 # Deploy to App Engine using the pre-built image
 gcloud app deploy "$APP_YAML_PATH" \

.github/workflows/deploy-production.yml

@@ -82,7 +82,7 @@ jobs:
         run: |
           echo "Verifying image was pushed to GitHub Container Registry..."
           docker pull ${{ env.IMAGE_NAME }}:${{ github.sha }}
-          echo "✅ Image successfully pushed and can be pulled"
+          echo "Image successfully pushed and can be pulled"
 
   # Deploy to App Engine using pre-built Docker image from GitHub Container Registry
   deploy:

gcp/policyengine_household_api/app.yaml

@@ -17,4 +17,13 @@ liveness_check:
   success_threshold: 2
 readiness_check:
   path: "/readiness-check"
-  app_start_timeout_sec: 600
+  app_start_timeout_sec: 600
+
+# Environment variables loaded from Google Cloud Secret Manager
+env_variables:
+  AUTH0_ADDRESS_NO_DOMAIN: "projects/policyengine-household-api/secrets/AUTH0_ADDRESS_NO_DOMAIN/versions/latest"
+  AUTH0_AUDIENCE_NO_DOMAIN: "projects/policyengine-household-api/secrets/AUTH0_AUDIENCE_NO_DOMAIN/versions/latest"
+  USER_ANALYTICS_DB_USERNAME: "projects/policyengine-household-api/secrets/USER_ANALYTICS_DB_USERNAME/versions/latest"
+  USER_ANALYTICS_DB_PASSWORD: "projects/policyengine-household-api/secrets/USER_ANALYTICS_DB_PASSWORD/versions/latest"
+  USER_ANALYTICS_DB_CONNECTION_NAME: "projects/policyengine-household-api/secrets/USER_ANALYTICS_DB_CONNECTION_NAME/versions/latest"
+  ANTHROPIC_API_KEY: "projects/policyengine-household-api/secrets/ANTHROPIC_API_KEY/versions/latest"