Skip to content

Clarify production environment secret setup #753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
justin808 merged 3 commits into from
Jun 2, 2026
Merged

Clarify production environment secret setup #753

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6565ded
Clarify production environment secret setup
justin808 Jun 2, 2026
f76c3a1
Keep production secret docs consistent
justin808 Jun 2, 2026
b31af7b
Address final production secret docs review
justin808 Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .controlplane/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,17 @@ self-review, and consider disabling administrator bypass. Do not store
promotion wrapper does not use `secrets: inherit`; GitHub exposes the production
token only after the environment approval gate passes.

If promotion fails with
`CPLN_TOKEN_PRODUCTION is not set. Add it as a secret on the 'production' GitHub Environment.`,
the token is missing from the environment scope. A repository or organization
secret with the same name is not enough for this workflow. Create or verify the
environment secret with:

```sh
gh secret set CPLN_TOKEN_PRODUCTION --repo shakacode/react-webpack-rails-tutorial --env production

@claude claude Bot Jun 2, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gh secret set without --body or piped input will prompt interactively for the secret value, which is the right behaviour — but worth noting for readers who aren't familiar with the CLI, otherwise the command looks incomplete. A short comment like # (prompts for the token value) or a preceding sentence would help.

Suggested change
gh secret set CPLN_TOKEN_PRODUCTION --repo shakacode/react-webpack-rails-tutorial --env production
gh secret set CPLN_TOKEN_PRODUCTION --repo shakacode/react-webpack-rails-tutorial --env production # prompts for the token value
gh secret list --repo shakacode/react-webpack-rails-tutorial --env production

gh secret list --repo shakacode/react-webpack-rails-tutorial --env production
```

The matching Control Plane resources are:

| Resource | Name |
Expand Down
9 changes: 9 additions & 0 deletions .controlplane/shakacode-team.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,15 @@ passes `production_environment: production`; the upstream reusable workflow runs
its production job in that environment, and GitHub injects the production token
only after approval.

If promotion fails with
`CPLN_TOKEN_PRODUCTION is not set. Add it as a secret on the 'production' GitHub Environment.`,
the token is missing from the environment scope. Configure it with:

@greptile-apps greptile-apps Bot Jun 2, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 The two other files (.controlplane/readme.md and .github/cpflow-help.md) include the sentence "A repository or organization secret with the same name is not enough for this workflow." This context is the key reason someone reaches for the gh secret set --env flag rather than the repository-level secret page, and its absence here leaves a gap for readers of this file.

Suggested change
the token is missing from the environment scope. Configure it with:
the token is missing from the environment scope. A repository or organization
secret with the same name is not enough for this workflow. Configure it with:

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

@justin808 justin808 Jun 2, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in f76c3a1 by adding the missing repository/organization-secret warning to .controlplane/shakacode-team.md.


@claude claude Bot Jun 2, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other two files (.controlplane/readme.md and .github/cpflow-help.md) include the sentence:

A repository or organization secret with the same name is not enough for this workflow.

This is the key clarification that prevents confusion. It's missing here, leaving team members without the explicit warning.

Suggested change
the token is missing from the environment scope. A repository or organization
secret with the same name is not enough for this workflow. Configure it with:

@justin808 justin808 Jun 2, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in f76c3a1 by adding the missing repository/organization-secret warning to .controlplane/shakacode-team.md.

```sh
gh secret set CPLN_TOKEN_PRODUCTION --repo shakacode/react-webpack-rails-tutorial --env production
gh secret list --repo shakacode/react-webpack-rails-tutorial --env production
```

Generated caller workflows pass only the named secrets each upstream workflow
needs. They do not use `secrets: inherit`; `CPLN_TOKEN_PRODUCTION` is supplied
only by the protected `production` Environment after approval.
Expand Down
11 changes: 11 additions & 0 deletions .github/cpflow-help.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,17 @@ prevent self-review. The generated promotion wrapper passes only the staging
token from repository secrets; GitHub injects `CPLN_TOKEN_PRODUCTION` only after
the environment approval gate passes.

If promotion fails with
`CPLN_TOKEN_PRODUCTION is not set. Add it as a secret on the 'production' GitHub Environment.`,
the token is missing from the environment scope. A repository or organization
secret with the same name is not enough for this workflow. Create or verify the
environment secret with:

```sh
gh secret set CPLN_TOKEN_PRODUCTION --repo shakacode/react-webpack-rails-tutorial --env production
gh secret list --repo shakacode/react-webpack-rails-tutorial --env production
```

Before the first promotion, bootstrap the production app the same way in the
production org, using production-only secrets and values.

Expand Down
Loading