Use GitHub secrets for production deployment

[Copilot]

Production deployment was not using GitHub secrets for runtime configuration, while staging deployment was. This creates inconsistency in secret management and makes production setup more manual.

Changes

Workflow Changes

• Added flyctl secrets step to production deployment that sets all required secrets from GitHub environment secrets:
  • SESSION_SECRET - Required for session management
  • HONEYPOT_SECRET - Required for honeypot spam protection
  • SENTRY_DSN - For error monitoring (optional but recommended)
  • RESEND_API_KEY - For email functionality (optional but recommended)
• Added conditional checks (if: ${{ env.FLY_API_TOKEN }}) to both secrets and deployment steps for consistency with staging pattern

- name: 🔐 Set Production Secrets
  if: ${{ env.FLY_API_TOKEN }}
  run: |
    flyctl secrets --app ${{ steps.app_name.outputs.value }} set \
      SESSION_SECRET=${{ secrets.SESSION_SECRET }} \
      HONEYPOT_SECRET=${{ secrets.HONEYPOT_SECRET }} \
      SENTRY_DSN=${{ secrets.SENTRY_DSN }} \
      RESEND_API_KEY=${{ secrets.RESEND_API_KEY }}

- name: 🚀 Deploy Production
  if: ${{ env.FLY_API_TOKEN }}
  run: |
    flyctl deploy \
      --image "registry.fly.io/${{ steps.app_name.outputs.value }}:${{ github.sha }}"

Documentation Changes

• Updated docs/deployment.md to use gh secret set -e production for SESSION_SECRET and HONEYPOT_SECRET instead of fly secrets set
• Updated docs/email.md to use gh secret set -e production for RESEND_API_KEY instead of fly secrets set
• Updated docs/monitoring.md to use gh secret set -e production for SENTRY_DSN instead of fly secrets set

All documentation now instructs users to set secrets via GitHub environment secrets using -e production for production environment and -e staging for staging environment, matching the workflow's environment: production configuration.

Staging and production now follow the same secret management approach with all runtime secrets configured through GitHub Actions environment secrets.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[kasperpeulen]

@copilot Check the init script and the delpoyment.md file if those are all secrets that need to be set.

[Copilot]

@copilot Check the init script and the delpoyment.md file if those are all secrets that need to be set.

Reviewed deployment.md and init script. Added the missing secrets to production deployment in commit 29a5137:

All secrets now configured:

• SESSION_SECRET - session management
• HONEYPOT_SECRET - spam protection
• SENTRY_DSN - error monitoring
• RESEND_API_KEY - email functionality

Production now matches staging's secret management approach.

[kasperpeulen]

@copilot Update the .md files to set gh secrets just like for staging.

[Copilot]

@copilot Update the .md files to set gh secrets just like for staging.

Updated all documentation files in commits eefc50e and bf1dae3. All secrets now use -e production for production environment and -e staging for staging environment:

Updated files:

• docs/deployment.md - SESSION_SECRET and HONEYPOT_SECRET
• docs/email.md - RESEND_API_KEY
• docs/monitoring.md - SENTRY_DSN

All secrets correctly use GitHub environment-specific secrets matching the workflow's environment: production configuration.