feat(chart): support github.existingSecret for GITHUB_TOKEN

decobot · claude · decobot · commit 99217c47f456 · 2026-04-24T00:27:28.000-03:00
Reads token from a K8s Secret (via ExternalSecret) instead of
hardcoding in values. Falls back to github.token if set.
Safe: if github key is absent in values, no change to deployment.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/hack/helm-generator/main.go b/hack/helm-generator/main.go
@@ -188,9 +188,15 @@ func addEnvVarsToDeployment(templatesDir string) error {
 	contentStr := string(content)
 
 	// Find the image line and add env vars after it
-	envBlock := `        {{- if or .Values.github.token (and .Values.valkey (get .Values.valkey "sentinelUrls")) }}
+	envBlock := `        {{- if or (and .Values.github (or .Values.github.token .Values.github.existingSecret)) (and .Values.valkey (get .Values.valkey "sentinelUrls")) }}
         env:
-        {{- if .Values.github.token }}
+        {{- if and .Values.github .Values.github.existingSecret }}
+        - name: GITHUB_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.github.existingSecret | quote }}
+              key: {{ .Values.github.existingSecretKey | default "token" | quote }}
+        {{- else if and .Values.github .Values.github.token }}
         - name: GITHUB_TOKEN
           value: {{ .Values.github.token | quote }}
         {{- end }}
