ci(deploy): deploy ingest to render with 1Password-sourced secrets#427
Open
matheus1lva wants to merge 4 commits into
Open
ci(deploy): deploy ingest to render with 1Password-sourced secrets#427matheus1lva wants to merge 4 commits into
matheus1lva wants to merge 4 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GitHub Actions now owns the Render deploy and sources secrets from 1Password instead of the hand-edited Render env group. A new
deployworkflow resolves the secrets declared in.github/deploy.env.tplvia1Password/load-secrets-action, pushes each into the Render env groupkong(fromGroup: kongin render.yaml), then triggers a Render API deploy and waits for it to go live. 1Password becomes the source of truth, so nobody edits secrets in the Render dashboard.How to review
Two files:
.github/workflows/deploy.ymland.github/deploy.env.tpl..github/deploy.env.tplis the single source of truth for which secrets sync. Each line maps a Render env-var name to anop://webops-prod/kong/...reference. The sync step derives its key list from the same file, so the loaded set and the pushed set cannot drift.PUT /v1/env-groups/{id}/env-vars/{key}, so it only adds or updates keys and cannot drop vars it does not manage. The bulk-replace endpoint is avoided on purpose.HTTP_ARCHIVE_*/HTTP_FULLNODE_*keys match the chains the ingest worker reads viaprocess.env[\HTTP_ARCHIVE_${chain.id}`](lib/rpcs.ts).REDIS_HOST,REDIS_PORT,NODE_VERSIONare excluded because render.yaml sets themfromService.GITHUB_PERSONAL_ACCESS_TOKEN` is not read by ingest, so it is left out.MONITOR_API_KEY,SENTRY_DSN, ...) stay off until the matching field exists in 1Password; an unresolved ref fails the whole job.GET .../deploys/{id}untilliveor a failure status.Test plan
RENDER_API_KEY,RENDER_SERVICE_ID,OP_SERVICE_ACCOUNT_TOKEN; confirm the 1Passwordwebops-prod/kongitem has a field for every active line indeploy.env.tpl; run viaworkflow_dispatch; confirm values land in env groupevg-d3dkc7jipnbc73ce23lgand the deploy reacheslive.runblocks passbash -n, the template yields the expected 28 keys.Risk / impact
ingest-v-2, or a push to main fires two deploys (Render git integration plus this workflow).