Skip to content

ci(staging): wire missing env vars into staging deploy#136

Merged
FSM1 merged 1 commit into
mainfrom
feat/staging-env-updates
Feb 17, 2026
Merged

ci(staging): wire missing env vars into staging deploy#136
FSM1 merged 1 commit into
mainfrom
feat/staging-env-updates

Conversation

@FSM1

@FSM1 FSM1 commented Feb 17, 2026

Copy link
Copy Markdown
Owner

Summary

  • Adds SIWE_DOMAIN and IDENTITY_JWT_PRIVATE_KEY to the .env.staging heredoc in deploy-staging.yml
  • Without SIWE_DOMAIN, wallet logins fail on staging (defaults to localhost)
  • Without IDENTITY_JWT_PRIVATE_KEY, the API crashes on startup — staging runs NODE_ENV=production which requires a persistent RS256 signing key

Both GitHub secrets/variables are already set in the staging environment.

Test plan

  • Merge and trigger staging deploy via tag-staging workflow
  • Verify API starts without crash (check logs for Identity JWKS ready)
  • Verify wallet login works on app-staging.cipherbox.cc

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated staging deployment configuration with additional environment variables to support authentication and identity services.

…staging

Without SIWE_DOMAIN, wallet logins fail on staging (defaults to localhost).
Without IDENTITY_JWT_PRIVATE_KEY, the API crashes on startup since staging
runs with NODE_ENV=production which requires a persistent signing key.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Feb 17, 2026

Copy link
Copy Markdown

Walkthrough

The staging deployment workflow is updated to include two new environment variables: SIWE_DOMAIN and IDENTITY_JWT_PRIVATE_KEY, which are sourced from GitHub Actions variables and secrets respectively and written to the .env.staging file for Docker Compose consumption.

Changes

Cohort / File(s) Summary
Staging Deployment Configuration
.github/workflows/deploy-staging.yml
Added two new environment variables (SIWE_DOMAIN from vars, IDENTITY_JWT_PRIVATE_KEY from secrets) to be written into the .env.staging file during staging deployment.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding missing environment variables to the staging deployment workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/staging-env-updates

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deploy-staging.yml:
- Line 165: The CI currently inserts IDENTITY_JWT_PRIVATE_KEY directly into the
heredoc which assumes the secret is base64-encoded; confirm with your VPS admin
that the GitHub Secret for IDENTITY_JWT_PRIVATE_KEY is stored base64 (see
apps/api/.env.example and jwt-issuer.service.ts which call Buffer.from(pemKey,
'base64').toString('utf8')), or if the secret is intentionally a raw PEM, change
the workflow to append the secret outside the heredoc with proper
quoting/escaping (rather than inline) so the resulting .env.staging keeps
literal newlines intact; update the deploy-staging.yml handling of
IDENTITY_JWT_PRIVATE_KEY accordingly.

SENDGRID_FROM_EMAIL=${{ vars.SENDGRID_FROM_EMAIL }}
GOOGLE_CLIENT_ID=${{ vars.GOOGLE_CLIENT_ID }}
SIWE_DOMAIN=${{ vars.SIWE_DOMAIN }}
IDENTITY_JWT_PRIVATE_KEY=${{ secrets.IDENTITY_JWT_PRIVATE_KEY }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

wc -l .github/workflows/deploy-staging.yml

Repository: FSM1/cipher-box

Length of output: 99


🏁 Script executed:

sed -n '150,180p' .github/workflows/deploy-staging.yml

Repository: FSM1/cipher-box

Length of output: 1609


🏁 Script executed:

sed -n '130,170p' .github/workflows/deploy-staging.yml

Repository: FSM1/cipher-box

Length of output: 1911


🏁 Script executed:

rg -i "IDENTITY_JWT_PRIVATE_KEY" --type-list | head -20

Repository: FSM1/cipher-box

Length of output: 448


🏁 Script executed:

rg "IDENTITY_JWT_PRIVATE_KEY" -A 2 -B 2

Repository: FSM1/cipher-box

Length of output: 4079


🏁 Script executed:

fd -e md -e txt -e yml | xargs grep -l "IDENTITY_JWT" 2>/dev/null | head -10

Repository: FSM1/cipher-box

Length of output: 41


🏁 Script executed:

fd README -o SETUP -o "\.env" -o docker-compose | head -5

Repository: FSM1/cipher-box

Length of output: 188


🏁 Script executed:

cat README.md 2>/dev/null | grep -A 10 -i "IDENTITY_JWT\|jwt.*key\|secret" | head -30

Repository: FSM1/cipher-box

Length of output: 677


🏁 Script executed:

cat README.md 2>/dev/null | head -100

Repository: FSM1/cipher-box

Length of output: 3559


🏁 Script executed:

find . -maxdepth 2 -name "*.md" -type f | head -10

Repository: FSM1/cipher-box

Length of output: 532


🏁 Script executed:

find . -name ".env*" -o -name "env.example" | head -10

Repository: FSM1/cipher-box

Length of output: 195


🏁 Script executed:

rg "base64\|base64.*encode" -A 2 -B 2 --type yml | head -40

Repository: FSM1/cipher-box

Length of output: 86


🏁 Script executed:

cat apps/api/src/auth/services/jwt-issuer.service.ts | head -50

Repository: FSM1/cipher-box

Length of output: 2203


🏁 Script executed:

cat apps/api/.env.example

Repository: FSM1/cipher-box

Length of output: 1940


🏁 Script executed:

rg "base64\|decode" apps/api/src/auth --type ts -A 2 -B 2 | head -50

Repository: FSM1/cipher-box

Length of output: 41


🏁 Script executed:

find . -name "DEPLOY*" -o -name "setup*" -o -name "install*" | grep -i doc

Repository: FSM1/cipher-box

Length of output: 41


🏁 Script executed:

cat .github/copilot-instructions.md | grep -A 10 -i "identity\|jwt\|secret" | head -30

Repository: FSM1/cipher-box

Length of output: 1311


🏁 Script executed:

find . -path "*/docs/*" -name "*.md" | head -10

Repository: FSM1/cipher-box

Length of output: 88


🏁 Script executed:

cat docs/VAULT_EXPORT_FORMAT.md | head -50

Repository: FSM1/cipher-box

Length of output: 2460


🏁 Script executed:

find . -type f \( -name "*.yml" -o -name "*.yaml" \) -exec grep -l "IDENTITY_JWT\|base64.*secret" {} \; | head -10

Repository: FSM1/cipher-box

Length of output: 97


🏁 Script executed:

git log --oneline --all -S "IDENTITY_JWT_PRIVATE_KEY" | head -20

Repository: FSM1/cipher-box

Length of output: 145


Ensure IDENTITY_JWT_PRIVATE_KEY is base64-encoded per documented specification.

The codebase expects this secret to be base64-encoded (see apps/api/.env.example and jwt-issuer.service.ts). The code decodes it with Buffer.from(pemKey, 'base64').toString('utf8').

However, the workflow writes the secret inline within the heredoc without validating the format. If the secret is mistakenly stored as raw PEM with literal newlines instead of base64, the .env.staging file will be malformed. Verify with your VPS admin that the GitHub Secret is stored as base64-encoded per the documented approach — not raw PEM.

If raw PEM encoding is intentional, use Option 2 from the original suggestion (append separately with quoting after the heredoc).

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-staging.yml at line 165, The CI currently inserts
IDENTITY_JWT_PRIVATE_KEY directly into the heredoc which assumes the secret is
base64-encoded; confirm with your VPS admin that the GitHub Secret for
IDENTITY_JWT_PRIVATE_KEY is stored base64 (see apps/api/.env.example and
jwt-issuer.service.ts which call Buffer.from(pemKey,
'base64').toString('utf8')), or if the secret is intentionally a raw PEM, change
the workflow to append the secret outside the heredoc with proper
quoting/escaping (rather than inline) so the resulting .env.staging keeps
literal newlines intact; update the deploy-staging.yml handling of
IDENTITY_JWT_PRIVATE_KEY accordingly.

@FSM1 FSM1 merged commit f42b1bc into main Feb 17, 2026
17 checks passed
@FSM1 FSM1 deleted the feat/staging-env-updates branch February 21, 2026 06:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant