fix: Make apify push fail when secrets are missing instead of silently continuing, with optional flag to preserve old behavior

[Copilot]

Problem

The apify push command had problematic behavior when actor.json contained environment variables that reference non-existent secrets. Instead of failing with a clear error (which would be the expected behavior), it would:

1. Only show warning messages
2. Continue with the deployment
3. Silently omit the environment variables that reference missing secrets

This could lead to actors being deployed in production without required environment variables, potentially causing runtime failures that are difficult to debug.

Solution

Modified the secret handling functions in src/lib/secrets.ts to throw errors instead of emitting warnings when secrets are missing:

• transformEnvToEnvVars() now collects all missing secrets and throws a single comprehensive error
• replaceSecretsValue() follows the same pattern for consistency

Error Behavior

When secrets are missing, users now get a clear error message:

Missing secrets: API_TOKEN, DATABASE_URL. Set them by calling "apify secrets add <SECRET_NAME> <SECRET_VALUE>".

Impact

This change affects both:

• apify push - Now fails when trying to deploy with missing secrets
• apify run - Now fails when trying to run locally with missing secrets

Backward Compatibility

✅ Fully maintained - All existing functionality works exactly the same for:

• Valid secrets that exist in the local secrets file
• Regular environment variables without secret references (@ prefix)
• Empty environment variable configurations

Optional Flag for Legacy Behavior

Added --ignore-missing-secrets flag to both apify push and apify run commands:

• When flag is used: Shows warnings for missing secrets and omits those environment variables (original behavior)
• When flag is not used: Fails immediately with clear error listing all missing secrets (new secure behavior)

This provides a migration path for users who need the old behavior while making the secure approach the default.

Testing

• Updated existing tests to expect error throwing instead of warning behavior
• Added comprehensive test coverage for edge cases and integration scenarios
• Added tests for the new --ignore-missing-secrets flag behavior
• Verified no regressions in existing functionality
• All builds, linting, and test suites pass

This ensures users can no longer accidentally deploy actors with missing critical environment variables, while providing clear guidance on how to resolve the issue and an optional flag to preserve legacy behavior when needed.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>apify push ignores missing secrets in actor.json</issue_title>
<issue_description>## Description

The apify push command has problematic behavior when actor.json contains environment variables that reference non-existent secrets. Instead of failing with an error (which would be the expected behavior), it:

1. Only shows a warning message
2. Continues with the deployment
3. Silently omits the environment variables that reference missing secrets

This can lead to actors being deployed in production without required environment variables, potentially causing runtime failures that are difficult to debug.

Expected Behavior

The push command should fail with a clear error message indicating that required secrets are missing, similar to how other validation errors are handled.

Actual Behavior

• Push succeeds ✅
• Shows warning: Value for NONEXISTENT_SECRET not found in local secrets. Set it by calling "apify secrets add NONEXISTENT_SECRET [SECRET_VALUE]" ⚠️
• Actor is deployed without the environment variable (silently omitted)

Root Cause

In src/lib/secrets.ts, both replaceSecretsValue() and transformEnvToEnvVars() functions only emit warnings for missing secrets instead of throwing errors:

// Lines 104-106 in transformEnvToEnvVars()
} else {
    warning({
        message: `Value for ${secretKey} not found in local secrets. Set it by calling "apify secrets add ${secretKey} [SECRET_VALUE]"`,
    });
}

Suggested Fix

The push command should fail when any referenced secrets are missing. This could be implemented by:

1. Making transformEnvToEnvVars() throw an error instead of just warning when secrets are missing
2. Or adding validation in the push command to check all secret references before deployment
3. Potentially adding a --ignore-missing-secrets flag for cases where the current behavior might be desired

Additional Context

This affects the apify push command, the apify run command and potentially other commands.

</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #921

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[vladfrangu]

@copilot make sure your fix

• collects all missing secrets
• has a ignore-missing-secrets flag on the command that keeps the current behavior of emitting a warning

[Copilot]

@copilot make sure your fix

• collects all missing secrets
• has a ignore-missing-secrets flag on the command that keeps the current behavior of emitting a warning

I've implemented the requested changes:

✅ Collects all missing secrets: The fix already collected all missing secrets in a single error message (e.g., "Missing secrets: API_TOKEN, DATABASE_URL")

✅ Added --ignore-missing-secrets flag: Available on both apify push and apify run commands

• When flag is used: Shows warnings for missing secrets and omits those env vars (original behavior)
• When flag is not used: Fails immediately with clear error (new secure behavior)

Added comprehensive test coverage for the flag behavior including edge cases. All tests pass and build succeeds.

Commit: 816ca6d