Skip to content

Use GitHub secrets for production deployment #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 7 commits into
base: kasper/staging-app-per-pr
Choose a base branch
from
Draft

Use GitHub secrets for production deployment #33

Copilot wants to merge 7 commits into from

Conversation

Copy link

Copilot AI commented Jan 5, 2026
edited
Loading

Production deployment was not using GitHub secrets for runtime configuration, while staging deployment was. This creates inconsistency in secret management and makes production setup more manual.

Changes

Workflow Changes

  • Added flyctl secrets step to production deployment that sets all required secrets from GitHub environment secrets:
    • SESSION_SECRET - Required for session management
    • HONEYPOT_SECRET - Required for honeypot spam protection
    • SENTRY_DSN - For error monitoring (optional but recommended)
    • RESEND_API_KEY - For email functionality (optional but recommended)
  • Added conditional checks (if: ${{ env.FLY_API_TOKEN }}) to both secrets and deployment steps for consistency with staging pattern
- name: 🔐 Set Production Secrets
  if: ${{ env.FLY_API_TOKEN }}
  run: |
    flyctl secrets --app ${{ steps.app_name.outputs.value }} set \
      SESSION_SECRET=${{ secrets.SESSION_SECRET }} \
      HONEYPOT_SECRET=${{ secrets.HONEYPOT_SECRET }} \
      SENTRY_DSN=${{ secrets.SENTRY_DSN }} \
      RESEND_API_KEY=${{ secrets.RESEND_API_KEY }}

- name: 🚀 Deploy Production
  if: ${{ env.FLY_API_TOKEN }}
  run: |
    flyctl deploy \
      --image "registry.fly.io/${{ steps.app_name.outputs.value }}:${{ github.sha }}"

Documentation Changes

  • Updated docs/deployment.md to use gh secret set -e production for SESSION_SECRET and HONEYPOT_SECRET instead of fly secrets set
  • Updated docs/email.md to use gh secret set -e production for RESEND_API_KEY instead of fly secrets set
  • Updated docs/monitoring.md to use gh secret set -e production for SENTRY_DSN instead of fly secrets set

All documentation now instructs users to set secrets via GitHub environment secrets using -e production for production environment and -e staging for staging environment, matching the workflow's environment: production configuration.

Staging and production now follow the same secret management approach with all runtime secrets configured through GitHub Actions environment secrets.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Jan 5, 2026
Open
2 tasks
Copilot AI changed the title [WIP] Create a staging environment deployment for pull requests Use GitHub secrets for production deployment Jan 5, 2026
Copilot AI requested a review from kasperpeulen January 5, 2026 23:53
@kasperpeulen
Copy link
Owner

kasperpeulen commented Jan 5, 2026

@copilot Check the init script and the delpoyment.md file if those are all secrets that need to be set.

Copy link
Author

Copilot AI commented Jan 5, 2026

@copilot Check the init script and the delpoyment.md file if those are all secrets that need to be set.

Reviewed deployment.md and init script. Added the missing secrets to production deployment in commit 29a5137:

All secrets now configured:

  • SESSION_SECRET - session management
  • HONEYPOT_SECRET - spam protection
  • SENTRY_DSN - error monitoring
  • RESEND_API_KEY - email functionality

Production now matches staging's secret management approach.

@kasperpeulen
Copy link
Owner

kasperpeulen commented Jan 6, 2026

@copilot Update the .md files to set gh secrets just like for staging.

Copy link
Author

Copilot AI commented Jan 6, 2026

@copilot Update the .md files to set gh secrets just like for staging.

Updated all documentation files in commits eefc50e and bf1dae3. All secrets now use -e production for production environment and -e staging for staging environment:

Updated files:

  • docs/deployment.md - SESSION_SECRET and HONEYPOT_SECRET
  • docs/email.md - RESEND_API_KEY
  • docs/monitoring.md - SENTRY_DSN

All secrets correctly use GitHub environment-specific secrets matching the workflow's environment: production configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kasperpeulen kasperpeulen Awaiting requested review from kasperpeulen

Assignees

@kasperpeulen kasperpeulen

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kasperpeulen