new file: .github/scripts/inject_config.py

Sushegaad · Sushegaad · commit 9330d3726d18 · 2026-03-05T18:21:25.000-05:00
modified:   .github/workflows/deploy.yml
diff --git a/.github/scripts/inject_config.py b/.github/scripts/inject_config.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+"""
+inject_config.py — run by GitHub Actions during deployment.
+
+Reads CV_API_KEY, CV_PROVIDER, CV_MODEL from environment variables
+(populated from GitHub Secrets/Variables) and writes a safe js/config.js.
+
+Uses json.dumps() so special characters in the key ($, ", \, etc.)
+are always correctly escaped as JavaScript string literals.
+"""
+import os
+import json
+
+api_key  = os.environ.get("CV_API_KEY",  "")
+provider = os.environ.get("CV_PROVIDER", "") or "claude"
+model    = os.environ.get("CV_MODEL",    "") or "claude-sonnet-4-5-20250929"
+
+lines = [
+    "// Auto-generated by GitHub Actions -- do not edit manually.",
+    "// Regenerated on every push to main.",
+    "// To update: change the CLEARVOICE_API_KEY secret in repository settings.",
+    "window.CV_CONFIG = {",
+    "  apiKey  : " + json.dumps(api_key)  + ",",
+    "  provider: " + json.dumps(provider) + ",",
+    "  model   : " + json.dumps(model)    + ",",
+    "};",
+    "",
+]
+
+with open("js/config.js", "w") as f:
+    f.write("\n".join(lines))
+
+if api_key:
+    print("API key injected into js/config.js")
+else:
+    print("No CLEARVOICE_API_KEY secret found -- deploying without key (users configure manually).")
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,80 +1,50 @@
 # =============================================================
-# ClearVoice — GitHub Actions Deployment Workflow
+# ClearVoice - GitHub Actions Deployment Workflow
 #
-# This workflow injects your API key from GitHub Secrets at
-# build time, then deploys the site to GitHub Pages.
-#
-# HOW TO SET UP:
-# 1. Go to your repo → Settings → Secrets and variables → Actions
+# HOW TO SET UP GITHUB SECRETS:
+# 1. Go to your repo -> Settings -> Secrets and variables -> Actions
 # 2. Click "New repository secret"
 # 3. Name: CLEARVOICE_API_KEY  |  Value: your Anthropic API key
-# 4. Optionally add: CLEARVOICE_MODEL (default: claude-sonnet-4-5-20250929)
-# 5. Push to main or trigger manually via "Run workflow"
+# 4. Optionally add Variables (not Secrets) for provider/model:
+#    CLEARVOICE_PROVIDER  (default: claude)
+#    CLEARVOICE_MODEL     (default: claude-sonnet-4-5-20250929)
+# 5. Push to main - the workflow runs automatically.
 #
 # SECURITY NOTE:
-# The injected key will exist in the deployed GitHub Pages files.
-# This is acceptable for personal/private projects, but be aware
-# the key could be read by anyone who inspects your site's JS source.
-# For team use, consider a backend proxy instead.
+# The injected key exists in the deployed GitHub Pages JS files.
+# Suitable for personal projects. For team use, use a backend proxy.
 # =============================================================
 
 name: Deploy ClearVoice to GitHub Pages
 
 on:
   push:
     branches: [main]
-  workflow_dispatch:   # Allow manual trigger from the Actions tab
+  workflow_dispatch:
 
 permissions:
   contents: read
   pages: write
   id-token: write
 
-# Only one deployment runs at a time
 concurrency:
-  group: "pages"
+  group: pages
   cancel-in-progress: false
 
 jobs:
-  # ── Build ────────────────────────────────────────────────
+
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Generate js/config.js with injected secrets
+      - name: Inject API key into js/config.js
         env:
-          CV_API_KEY : ${{ secrets.CLEARVOICE_API_KEY }}
+          CV_API_KEY: ${{ secrets.CLEARVOICE_API_KEY }}
           CV_PROVIDER: ${{ vars.CLEARVOICE_PROVIDER }}
-          CV_MODEL   : ${{ vars.CLEARVOICE_MODEL }}
-        # Python is used for safe JSON string encoding of the API key
-        # (handles special characters like $, ", \, etc.)
-        run: |
-          python3 - <<'PYEOF'
-          import os, json
-
-          api_key  = os.environ.get("CV_API_KEY",  "")
-          provider = os.environ.get("CV_PROVIDER", "claude") or "claude"
-          model    = os.environ.get("CV_MODEL",    "claude-sonnet-4-5-20250929") or "claude-sonnet-4-5-20250929"
-
-          content = f"""// Auto-generated by GitHub Actions — DO NOT EDIT
-// Regenerated on every push to main.
-// To update: change the CLEARVOICE_API_KEY secret in repository settings.
-window.CV_CONFIG = {{
-  apiKey  : {json.dumps(api_key)},
-  provider: {json.dumps(provider)},
-  model   : {json.dumps(model)},
-}};
-"""
-          with open("js/config.js", "w") as f:
-              f.write(content)
-
-          if api_key:
-              print("✅ API key injected into js/config.js")
-          else:
-              print("⚠️  No CLEARVOICE_API_KEY secret found — deploying without key (users will configure manually)")
-          PYEOF
+          CV_MODEL: ${{ vars.CLEARVOICE_MODEL }}
+        run: python3 .github/scripts/inject_config.py
 
       - name: Setup GitHub Pages
         uses: actions/configure-pages@v4
@@ -84,7 +54,6 @@ window.CV_CONFIG = {{
         with:
           path: "."
 
-  # ── Deploy ───────────────────────────────────────────────
   deploy:
     environment:
       name: github-pages
