Clarify production environment secret setup #753
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -59,6 +59,19 @@ passes `production_environment: production`; the upstream reusable workflow runs | |||||||||||||
| its production job in that environment, and GitHub injects the production token | ||||||||||||||
| only after approval. | ||||||||||||||
|
|
||||||||||||||
| If promotion fails with | ||||||||||||||
| `CPLN_TOKEN_PRODUCTION is not set. Add it as a secret on the 'production' GitHub Environment.`, | ||||||||||||||
| the token is missing from the environment scope. A repository or organization | ||||||||||||||
| secret with the same name is not enough for this workflow. Create or verify the | ||||||||||||||
| environment secret with: | ||||||||||||||
| You need permission to manage repository environments and secrets to run these | ||||||||||||||
| commands. | ||||||||||||||
|
Comment on lines
+65
to
+68
There was a problem hiding this comment. Same prose-flow issue as in
Suggested change
|
||||||||||||||
|
|
||||||||||||||
|
There was a problem hiding this comment. The other two files (
This is the key clarification that prevents confusion. It's missing here, leaving team members without the explicit warning.
Suggested change
Member
Author
There was a problem hiding this comment. Fixed in f76c3a1 by adding the missing repository/organization-secret warning to |
||||||||||||||
| ```sh | ||||||||||||||
| gh secret set CPLN_TOKEN_PRODUCTION --repo shakacode/react-webpack-rails-tutorial --env production | ||||||||||||||
| gh secret list --repo shakacode/react-webpack-rails-tutorial --env production | ||||||||||||||
| ``` | ||||||||||||||
|
|
||||||||||||||
| Generated caller workflows pass only the named secrets each upstream workflow | ||||||||||||||
| needs. They do not use `secrets: inherit`; `CPLN_TOKEN_PRODUCTION` is supplied | ||||||||||||||
| only by the protected `production` Environment after approval. | ||||||||||||||
|
|
||||||||||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -70,6 +70,19 @@ prevent self-review. The generated promotion wrapper passes only the staging | |||||||||||||
| token from repository secrets; GitHub injects `CPLN_TOKEN_PRODUCTION` only after | ||||||||||||||
| the environment approval gate passes. | ||||||||||||||
|
|
||||||||||||||
| If promotion fails with | ||||||||||||||
| `CPLN_TOKEN_PRODUCTION is not set. Add it as a secret on the 'production' GitHub Environment.`, | ||||||||||||||
| the token is missing from the environment scope. A repository or organization | ||||||||||||||
| secret with the same name is not enough for this workflow. Create or verify the | ||||||||||||||
| environment secret with: | ||||||||||||||
| You need permission to manage repository environments and secrets to run these | ||||||||||||||
| commands. | ||||||||||||||
|
Comment on lines
+76
to
+79
There was a problem hiding this comment. Same prose-flow issue — permission note interrupts the colon→code-block expectation.
Suggested change
|
||||||||||||||
|
|
||||||||||||||
| ```sh | ||||||||||||||
| gh secret set CPLN_TOKEN_PRODUCTION --repo shakacode/react-webpack-rails-tutorial --env production | ||||||||||||||
| gh secret list --repo shakacode/react-webpack-rails-tutorial --env production | ||||||||||||||
| ``` | ||||||||||||||
|
|
||||||||||||||
| Before the first promotion, bootstrap the production app the same way in the | ||||||||||||||
| production org, using production-only secrets and values. | ||||||||||||||
|
|
||||||||||||||
|
|
||||||||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The permission note was inserted between the colon-ending sentence and its code block, breaking the prose flow. A sentence ending with
:implies the code block immediately follows — a reader following the colon lands on a second sentence instead.Consider either folding the caveat into the lead-in line or placing it after the block: