Bug fixes (#240)

* Harden token generation: add validation, impersonate SA if provided; propagate CAPY_SERVICE_ACCOUNT to deploy workflow.

* Fail fast if active gcloud account isn’t a service account and no CAPY_SERVICE_ACCOUNT is set.

* Script bug fixes

* Clean up

Author: maximbilan

.github/workflows/deploy.yml

@@ -37,7 +37,6 @@ jobs:
         CAPY_PROJECT_ID: ${{ secrets.CAPY_PROJECT_ID }}
         CAPY_SERVER_REGION: ${{ secrets.CAPY_SERVER_REGION }}
         CAPY_THERAPY_SESSION_URL: ${{ secrets.CAPY_THERAPY_SESSION_URL }}
-        CAPY_AGENT_TOKEN: ${{ secrets.CAPY_AGENT_TOKEN }}
       shell: bash
 
   create-tag:

scripts/deploy_functions.sh

@@ -16,12 +16,14 @@ PROJECT_ID=$CAPY_PROJECT_ID
 source ./scripts/get_version.sh
 APP_VERSION=$(get_version)
 
-# Generate agent token and export into CAPY_AGENT_TOKEN
-# Use bash to avoid relying on executable bit in CI
-CAPY_AGENT_TOKEN="$(bash ./scripts/generate_agent_token.sh | tr -d '\n')"
-if [ -z "$CAPY_AGENT_TOKEN" ]; then
-  echo "Failed to generate CAPY_AGENT_TOKEN" >&2
-  exit 1
+# Ensure CAPY_AGENT_TOKEN is set; generate if missing
+if [ -z "${CAPY_AGENT_TOKEN:-}" ]; then
+  # Use bash to avoid relying on executable bit in CI
+  CAPY_AGENT_TOKEN="$(bash ./scripts/generate_agent_token.sh | tr -d '\n')"
+  if [ -z "$CAPY_AGENT_TOKEN" ]; then
+    echo "Failed to generate CAPY_AGENT_TOKEN" >&2
+    exit 1
+  fi
 fi
 
 # Set environment variables

scripts/generate_agent_token.sh

@@ -1,4 +1,3 @@
 #!/bin/bash
 
-# Use the active credentials (set by CI auth) to mint an identity token
-gcloud auth print-identity-token --audiences="$CAPY_THERAPY_SESSION_URL"
+gcloud auth print-identity-token