chore: Revert to use secrets in GitHub; despite security issues, we already do so even more permissively in PR action

anth-volk · anth-volk · commit fe0d8d09a1fd · 2025-08-12T00:14:06.000-02:30
diff --git a/.github/scripts/deploy-app-engine.sh b/.github/scripts/deploy-app-engine.sh
@@ -23,13 +23,34 @@ echo "Image: $IMAGE_NAME:$IMAGE_TAG"
 echo "Version: $IMAGE_TAG"
 echo "Service Account: $SERVICE_ACCOUNT"
 echo "App YAML: $APP_YAML_PATH"
-echo "Environment Variables: Will be loaded from Secret Manager via app.yaml"
+# Define environment variables to set
+declare -A ENV_VARS=(
+    ["AUTH0_ADDRESS_NO_DOMAIN"]="$AUTH0_ADDRESS_NO_DOMAIN"
+    ["AUTH0_AUDIENCE_NO_DOMAIN"]="$AUTH0_AUDIENCE_NO_DOMAIN"
+    ["USER_ANALYTICS_DB_USERNAME"]="$USER_ANALYTICS_DB_USERNAME"
+    ["USER_ANALYTICS_DB_PASSWORD"]="$USER_ANALYTICS_DB_PASSWORD"
+    ["USER_ANALYTICS_DB_CONNECTION_NAME"]="$USER_ANALYTICS_DB_CONNECTION_NAME"
+    ["ANTHROPIC_API_KEY"]="$ANTHROPIC_API_KEY"
+)
+
+# Build the --set-env-vars string
+ENV_VARS_STRING=""
+for key in "${!ENV_VARS[@]}"; do
+    if [ -n "${ENV_VARS[$key]}" ]; then
+        ENV_VARS_STRING="$ENV_VARS_STRING --set-env-vars $key=${ENV_VARS[$key]}"
+    else
+        echo "Warning: $key is not set"
+    fi
+done
+
+echo "Environment Variables: ${#ENV_VARS[@]} variables will be set"
 
 # Deploy to App Engine using the pre-built image
 gcloud app deploy "$APP_YAML_PATH" \
     --image-url="$IMAGE_NAME:$IMAGE_TAG" \
     --version="$IMAGE_TAG" \
     --service-account="$SERVICE_ACCOUNT" \
-    --quiet
+    --quiet \
+    $ENV_VARS_STRING
 
 echo "App Engine deployment completed successfully"
diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
@@ -119,6 +119,12 @@ jobs:
           IMAGE_TAG: ${{ github.sha }}
           SERVICE_ACCOUNT: github-deployment@policyengine-household-api.iam.gserviceaccount.com
           APP_YAML_PATH: ./gcp/policyengine_household_api/app.yaml
+          AUTH0_ADDRESS_NO_DOMAIN: ${{ secrets.AUTH0_ADDRESS_NO_DOMAIN }}
+          AUTH0_AUDIENCE_NO_DOMAIN: ${{ secrets.AUTH0_AUDIENCE_NO_DOMAIN }}
+          USER_ANALYTICS_DB_USERNAME: ${{ secrets.USER_ANALYTICS_DB_USERNAME }}
+          USER_ANALYTICS_DB_PASSWORD: ${{ secrets.USER_ANALYTICS_DB_PASSWORD }}
+          USER_ANALYTICS_DB_CONNECTION_NAME: ${{ secrets.USER_ANALYTICS_DB_CONNECTION_NAME }}
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
         run: .github/scripts/deploy-app-engine.sh
 
       - name: Set traffic to new version
diff --git a/gcp/policyengine_household_api/app.yaml b/gcp/policyengine_household_api/app.yaml
@@ -18,12 +18,3 @@ liveness_check:
 readiness_check:
   path: "/readiness-check"
   app_start_timeout_sec: 600
-
-# Environment variables loaded from Google Cloud Secret Manager
-env_variables:
-  AUTH0_ADDRESS_NO_DOMAIN: "projects/policyengine-household-api/secrets/AUTH0_ADDRESS_NO_DOMAIN/versions/latest"
-  AUTH0_AUDIENCE_NO_DOMAIN: "projects/policyengine-household-api/secrets/AUTH0_AUDIENCE_NO_DOMAIN/versions/latest"
-  USER_ANALYTICS_DB_USERNAME: "projects/policyengine-household-api/secrets/USER_ANALYTICS_DB_USERNAME/versions/latest"
-  USER_ANALYTICS_DB_PASSWORD: "projects/policyengine-household-api/secrets/USER_ANALYTICS_DB_PASSWORD/versions/latest"
-  USER_ANALYTICS_DB_CONNECTION_NAME: "projects/policyengine-household-api/secrets/USER_ANALYTICS_DB_CONNECTION_NAME/versions/latest"
-  ANTHROPIC_API_KEY: "projects/policyengine-household-api/secrets/ANTHROPIC_API_KEY/versions/latest"
