docs(ci): move runtime keys to Secret Manager, update README

EvMossan · EvMossan · commit 2423eca17bbd · 2025-06-22T19:28:15.000+03:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,49 +1,47 @@
-# GitHub Actions workflow
-# ──────────────────────────────────────────────────────────────────────────
-#  • Builds the application with Cloud Build (Buildpacks, from source).
-#  • Deploys the resulting container as a new revision of the existing
-#    Cloud Run service “wasteassistant”.
-#  • Passes runtime secrets (OpenAI key + Flask secret) via env-vars.
-#  • Triggers on every push to main and via the manual “Run workflow” button.
-# ──────────────────────────────────────────────────────────────────────────
+# .github/workflows/deploy.yml
+# ------------------------------------------------------------------
+# Build the app from source (Buildpacks) and deploy to Cloud Run.
+# Secrets flow:
+#   • GitHub    : GCP_SA_KEY  (JSON), GCP_PROJECT_ID, GCP_REGION
+#   • SecretMgr : OPENAI_API_KEY , FLASK_SECRET   ← mounted at runtime
+# ------------------------------------------------------------------
 
 name: Build & Deploy to Cloud Run
 
-# ─── Triggers ────────────────────────────────────────────────────────────
+# ───────────────────────────── triggers ──────────────────────────────
 on:
-  push:                    # automatic deploy on each push to main
+  push:                    # every push to main
     branches: ["main"]
-  workflow_dispatch:       # enable manual runs from the UI
+  workflow_dispatch:       # manual trigger
 
-# ─── Job definition ──────────────────────────────────────────────────────
+# ───────────────────────────── job ───────────────────────────────────
 jobs:
   build-and-deploy:
-    runs-on: ubuntu-latest            # GitHub-hosted runner
+    runs-on: ubuntu-latest
 
     steps:
-    # 1️⃣ Check out repository contents at the current commit
+    # 1️⃣ Checkout repo
     - name: Checkout source
       uses: actions/checkout@v4
 
-    # 2️⃣ Authenticate to Google Cloud using a service-account key
-    #     stored in the secret GCP_SA_KEY (JSON key with the required roles).
+    # 2️⃣ Authenticate to GCP with the service-account JSON key
     - name: Authenticate to Google Cloud
       uses: google-github-actions/auth@v1
       with:
         credentials_json: ${{ secrets.GCP_SA_KEY }}
 
-    # 3️⃣ Build from source and deploy in a single command.
-    #     The Buildpacks flow (source: .) invokes Cloud Build automatically,
-    #     stores the image in Artifact Registry and creates a new revision.
-    #     env_vars injects the runtime secrets into the container.
+    # 3️⃣ Build + deploy; mount secrets from Secret Manager
     - name: Deploy to Cloud Run
       uses: google-github-actions/deploy-cloudrun@v2
       with:
-        service: wasteassistant                # existing Cloud Run service
-        source: .                              # buildpacks build from repo root
+        service: wasteassistant               # pre-created Cloud Run service
+        source:  .                            # Buildpacks build from repo root
         project_id: ${{ secrets.GCP_PROJECT_ID }}
         region:     ${{ secrets.GCP_REGION }}
-        env_vars: |                            # runtime secrets
-          api_key=${{ secrets.OPENAI_API_KEY }}
-          secret_key=${{ secrets.FLASK_SECRET }}
-        flags: --allow-unauthenticated         # keep the public URL open
+
+        # ↳ map Secret Manager versions → env-vars at runtime
+        secrets: |
+          OPENAI_API_KEY=projects/${{ secrets.GCP_PROJECT_ID }}/secrets/OPENAI_API_KEY:latest
+          FLASK_SECRET=projects/${{ secrets.GCP_PROJECT_ID }}/secrets/FLASK_SECRET:latest
+
+        flags: --allow-unauthenticated        # keep public endpoint
diff --git a/README.md b/README.md
@@ -1,108 +1,132 @@
 # Waste Assistant Chatbot for Jyväskylä ♻️
 
-**Waste Assistant** is a friendly Flask + OpenAI bot that helps newcomers—and anyone else—figure out where every item belongs in the city’s recycling system.
+**Waste Assistant** is a friendly Flask + OpenAI bot that helps newcomers—and anyone else—figure out where every item belongs in the city’s recycling system.
 
-> "Where should this go in Jyväskylä?"
+> “Where should this go in Jyväskylä?”\
 > Ask in English or Finnish, or snap a photo—the bot knows the answer.
 
-<p align="center">
-  <img src="docs/demo.png" alt="Demo screenshot" width="300">
-</p>
-
-
 ---
 
 ## ✨ Features
 
-* **Local expertise** Tailored to Jyväskylä’s official sorting rules.
-* **Text *or* photo** Type a question *or* upload an image of the item.
-* **Bilingual UI** Instantly switch between **English** and **Finnish**.
-* **Smart image compression** 500 × 500 JPEG (quality 75) before sending to OpenAI → fewer tokens & lower cost.
-* **GPT-4o-mini vision + chat** One model for language *and* image reasoning.
-* **Serverless host** Runs on Google Cloud Run; scales to zero when idle.
+- **Local expertise** — tailored to Jyväskylä’s official sorting rules.
+- **Text *****or***** photo** — type a question *or* upload an image of the item.
+- **Bilingual UI** — instantly switch between **English** and **Finnish**.
+- **Smart image compression** — 500 × 500 JPEG (quality 75) → fewer OpenAI tokens & lower cost.
+- **GPT‑4o‑mini vision + chat** — one model for language *and* image reasoning.
+- **Serverless host** — runs on Google Cloud Run; scales to zero when idle.
 
 ---
 
 ## 🔧 Tech stack
 
-| Layer         | Tool / Service                 |
-| ------------- | ------------------------------ |
-| Language      | Python 3.10                    |
-| Web framework | Flask                          |
-| AI / Vision   | OpenAI API (gpt-4o-mini)       |
-| Container     | Docker                         |
-| CI / CD       | GitHub Actions  →  Cloud Build |
-| Runtime       | Google Cloud Run               |
+| Layer         | Tool / Service               |
+| ------------- | ---------------------------- |
+| Language      | Python 3.10                  |
+| Web framework | Flask                        |
+| AI / Vision   | OpenAI API (gpt‑4o‑mini)     |
+| Container     | Docker                       |
+| CI / CD       | GitHub Actions → Cloud Build |
+| Runtime       | Google Cloud Run             |
 
 ---
 
-## 🚀 Quick start (local)
+## 🚀 Quick start (local)
 
 ```bash
-# 1 Clone & enter repo
-git clone https://github.com/<your-user>/waste-assistant.git
+# 1 Clone & enter repo
+git clone https://github.com/<your‑user>/waste-assistant.git
 cd waste-assistant
 
-# 2 Virtual env
+# 2 Virtual env
 python -m venv venv
 source venv/bin/activate   # Windows: venv\Scripts\activate
 
-# 3 Install deps
+# 3 Install deps
 pip install -r requirements.txt
 
-# 4 Create .env
+# 4 Create .env (local only)
 cat > .env <<EOF
 api_key=YOUR_OPENAI_API_KEY
 secret_key=YOUR_FLASK_SECRET_KEY
 EOF
 
-# 5 Run
+# 5 Run
 python app.py   # → http://localhost:8086
 ```
 
 Open the URL, ask “Where do I throw plastic bags?” or upload a picture, and get an instant answer.
 
 ---
 
-## 🖥️ Usage tips
+## 🖥️ Usage tips
 
-* **Ask anything** "Cardboard pizza box?", "Where do batteries go?" …
-  The bot replies with the right bin, plus nuances (e.g. rinse / remove labels).
-* **Photo mode** Drag-and-drop or tap the camera icon on mobile.
-  The compressed image is analysed by GPT-4o-mini vision.
-* **Session memory** Context survives for 30 minutes so follow-ups are fluid.
+- **Ask anything** — "Cardboard pizza box?", "Where do batteries go?" …\
+  The bot replies with the right bin, plus nuances (e.g. rinse / remove labels).
+- **Photo mode** — drag‑and‑drop or tap the camera icon on mobile.\
+  The compressed image is analysed by GPT‑4o‑mini vision.
+- **Session memory** — context survives for 30 minutes so follow‑ups are fluid.
 
 ---
 
 ## 🗂️ Code overview
 
-* **`main.py`** Flask routes (`/`, `/ask`, `/reset`) + OpenAI calls.
-* **Prompts** System messages live in `model_instructions/` (EN & FI).
-* **Image pipeline** `compress_image()` resizes & recompresses uploads to save tokens.
-* **Session** Flask-Session stores chat history on disk (`./flask_session`).
+- `` — Flask routes (`/`, `/ask`, `/reset`) + OpenAI calls.
+- **Prompts** — system messages live in `model_instructions/` (EN & FI).
+- **Image pipeline** — `compress_image()` resizes & recompresses uploads.
+- **Session** — Flask‑Session stores chat history on disk (`./flask_session`).
 
 ---
 
-## ☁️ Continuous deployment (Cloud Run)
+## ☁️ Continuous deployment (Cloud Run)
+
+The workflow `.github/workflows/deploy.yml` builds from source with Cloud Build and deploys a new revision on every push to `main`.
+
+1. **Checkout** the repo.
+2. **Authenticate** using the service‑account key in `GCP_SA_KEY`.
+3. `gcloud run deploy --source .` — Buildpacks build & push the image.
+4. Cloud Run rolls out the revision and keeps the public URL unchanged.
+
+> Public URL format: `https://wasteassistant‑xxxxx.a.run.app`
+
+### GitHub Secrets required by the workflow
 
-A single GitHub Actions workflow (`.github/workflows/deploy.yml`) handles CI/CD:
+| Name                 | Purpose                                                  |
+| -------------------- | -------------------------------------------------------- |
+| **GCP\_SA\_KEY**     | JSON key with roles: Artifact Registry, Cloud Build, Run |
+| **GCP\_PROJECT\_ID** | e.g. `gpt-models-436109`                                 |
+| **GCP\_REGION**      | e.g. `europe-north1`                                     |
 
-1. **Checkout** code.
-2. **Authenticate** with a service-account key (`GCP_SA_KEY`).
-3. `gcloud run deploy --source .` – Buildpacks build & push the image.
-4. Cloud Run rolls out a new revision of the `wasteassistant` service.
+### Runtime secrets (Secret Manager)
 
-> Public URL format: `https://wasteassistant-xxxxx.a.run.app`
+`OPENAI_API_KEY` and `FLASK_SECRET_KEY` are **not stored in GitHub**. They live in **Google Cloud Secret Manager** and are injected by Cloud Run as environment variables.
 
-Required secrets:
+```bash
+# Create the secrets
+echo -n "sk-…" | gcloud secrets create OPENAI_API_KEY --data-file=-
+openssl rand -hex 32 | gcloud secrets create FLASK_SECRET_KEY --data-file=-
+
+# Allow Cloud Run’s runtime SA to read them
+PROJECT_ID="gpt-models-436109"
+PROJECT_NUM=$(gcloud projects describe $PROJECT_ID --format='value(projectNumber)')
+RUN_SA="${PROJECT_NUM}-compute@developer.gserviceaccount.com"
+
+for SEC in OPENAI_API_KEY FLASK_SECRET_KEY; do
+  gcloud secrets add-iam-policy-binding $SEC \
+    --member="serviceAccount:${RUN_SA}" \
+    --role="roles/secretmanager.secretAccessor"
+done
+```
+
+The workflow maps the latest secret versions to env‑vars:
 
-| Secret name      | Purpose / example value                                |
-| ---------------- | ------------------------------------------------------ |
-| GCP\_SA\_KEY     | JSON key (Artifact Registry + Cloud Build + Run roles) |
-| GCP\_PROJECT\_ID | e.g. `gpt-models-436109`                               |
-| GCP\_REGION      | e.g. `europe-north1`                                   |
-| OPENAI\_API\_KEY | `sk-…`                                                 |
-| FLASK\_SECRET    | `openssl rand -hex 32` (any long random string)        |
+```yaml
+secrets: |
+  OPENAI_API_KEY=projects/${{ secrets.GCP_PROJECT_ID }}/secrets/OPENAI_API_KEY:latest
+  FLASK_SECRET=projects/${{ secrets.GCP_PROJECT_ID }}/secrets/FLASK_SECRET_KEY:latest
+```
+
+The app then reads them with `os.getenv("api_key")` and `os.getenv("secret_key")`.
 
 ---
 
@@ -111,13 +135,14 @@ Required secrets:
 Pull requests are welcome!
 
 1. Fork → branch → commit with clear messages.
-2. Push and open a PR against `main`.
-3. CI will build & deploy the preview automatically.
+2. Push and open a PR against ``.
+3. CI will build & deploy the preview automatically.
 
-Found a bug or want to suggest a new feature? Open an issue.
+Found a bug or have an idea? Open an issue.
 
 ---
 
 ## 📄 License
 
-Apache-2.0.  See `LICENSE` for full text
+Apache‑2.0 — see `LICENSE` for full text.
+
