Skip to content

Fly deploy: target 'production' environment so env-scoped secrets resolve#36

Merged
dougdevitre merged 1 commit into
mainfrom
claude/fly-deploy-env-scope
May 16, 2026
Merged

Fly deploy: target 'production' environment so env-scoped secrets resolve#36
dougdevitre merged 1 commit into
mainfrom
claude/fly-deploy-env-scope

Conversation

@dougdevitre
Copy link
Copy Markdown
Owner

@dougdevitre dougdevitre commented May 16, 2026

Why this PR exists

Your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are stored as Environment secrets under the Production environment (good practice — keeps prod creds separate from PR-time stuff). But the workflow's job didn't declare an environment:, so ${{ secrets.AWS_ACCESS_KEY_ID }} only looked at repository-scope secrets and resolved empty. The aws-actions step then fell through and reported:

Could not load credentials from any providers

Fix

  • Add environment: production on the deploy job → secrets stored under the Production environment become visible
  • Add a "Verify required secrets" preflight step that fails immediately with a clear ::error:: message naming which secret is missing, linking to the environments settings page

After this merges

The next workflow run will pass the AWS step. Two remaining requirements:

  1. Add FLY_API_TOKEN to the same Production environment (not Repository secrets). Get the value from https://fly.io/user/personal_access_tokens.
  2. Re-run https://github.com/dougdevitre/cotrackpro-talk/actions/workflows/fly-deploy.yml.

Test plan

  • CI green
  • After merge: workflow runs successfully end-to-end (or, if FLY_API_TOKEN isn't set yet, fails with the clear "Missing secret(s) in 'production' environment: FLY_API_TOKEN" message instead of the cryptic AWS error)

Generated by Claude Code

@claude
Fly deploy: target 'production' environment + verify-secrets step
2e49709 
The AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY secrets were added under
"Environment secrets → Production", but the job had no environment:
declaration, so secrets.X only resolved against repository scope and
came back empty. The action then fell through to its default credential
chain (OIDC / IMDS / env), found nothing, and reported "Could not load
credentials from any providers."

Adds:
- environment: production on the deploy job (reads the env-scoped
  secrets the user already configured).
- A "Verify required secrets" step that fails fast with a clear
  ::error:: message naming which secret is missing and linking to the
  environments page. Future onboarders get a one-line diagnosis
  instead of a generic AWS SDK error.
@vercel
Copy link
Copy Markdown

vercel Bot commented May 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cotrackpro-talk Ready Ready Preview, Comment May 16, 2026 7:00am

Request Review

@dougdevitre dougdevitre merged commit e9956d5 into main May 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dougdevitre @claude