Skip to content

ci(deploy): deploy ingest to render with 1Password-sourced secrets#427

Open
matheus1lva wants to merge 4 commits into
mainfrom
ci/render-deploy-1password
Open

ci(deploy): deploy ingest to render with 1Password-sourced secrets#427
matheus1lva wants to merge 4 commits into
mainfrom
ci/render-deploy-1password

Conversation

@matheus1lva

@matheus1lva matheus1lva commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Summary

GitHub Actions now owns the Render deploy and sources secrets from 1Password instead of the hand-edited Render env group. A new deploy workflow resolves the secrets declared in .github/deploy.env.tpl via 1Password/load-secrets-action, pushes each into the Render env group kong (fromGroup: kong in render.yaml), then triggers a Render API deploy and waits for it to go live. 1Password becomes the source of truth, so nobody edits secrets in the Render dashboard.

How to review

Two files: .github/workflows/deploy.yml and .github/deploy.env.tpl.

  • .github/deploy.env.tpl is the single source of truth for which secrets sync. Each line maps a Render env-var name to an op://webops-prod/kong/... reference. The sync step derives its key list from the same file, so the loaded set and the pushed set cannot drift.
  • Secret sync uses the per-key endpoint PUT /v1/env-groups/{id}/env-vars/{key}, so it only adds or updates keys and cannot drop vars it does not manage. The bulk-replace endpoint is avoided on purpose.
  • The 12 HTTP_ARCHIVE_* / HTTP_FULLNODE_* keys match the chains the ingest worker reads via process.env[\HTTP_ARCHIVE_${chain.id}`](lib/rpcs.ts).REDIS_HOST, REDIS_PORT, NODE_VERSIONare excluded because render.yaml sets themfromService. GITHUB_PERSONAL_ACCESS_TOKEN` is not read by ingest, so it is left out.
  • Commented optional keys in the template (MONITOR_API_KEY, SENTRY_DSN, ...) stay off until the matching field exists in 1Password; an unresolved ref fails the whole job.
  • The deploy step polls GET .../deploys/{id} until live or a failure status.

Test plan

  • Manual: add repo secrets RENDER_API_KEY, RENDER_SERVICE_ID, OP_SERVICE_ACCOUNT_TOKEN; confirm the 1Password webops-prod/kong item has a field for every active line in deploy.env.tpl; run via workflow_dispatch; confirm values land in env group evg-d3dkc7jipnbc73ce23lg and the deploy reaches live.
  • Automated: none (CI workflow). Validated locally only: YAML parses, both run blocks pass bash -n, the template yields the expected 28 keys.

Risk / impact

  • Touches deploys and secrets. Turn OFF Render Auto-Deploy on ingest-v-2, or a push to main fires two deploys (Render git integration plus this workflow).
  • Per-key upsert never clears existing env-group vars; an empty resolved value is skipped rather than written.
  • Rollback: disable or delete the workflow and re-enable Render Auto-Deploy.

@vercel

vercel Bot commented Jun 18, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
kong Ready Ready Preview, Comment Jun 24, 2026 2:40pm

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant