From acf01382ad22884f74ee6b07f3df9362b482ce63 Mon Sep 17 00:00:00 2001 From: Ivan Malison Date: Mon, 16 Feb 2026 16:35:19 -0800 Subject: [PATCH] fix(org-agenda-api): import single-line secrets via flyctl --- org-agenda-api/deploy.sh | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/org-agenda-api/deploy.sh b/org-agenda-api/deploy.sh index 7dee5b8b..c5381ec1 100755 --- a/org-agenda-api/deploy.sh +++ b/org-agenda-api/deploy.sh @@ -110,25 +110,36 @@ AUTH_PASSWORD=$(age -d -i "$IDENTITY" "$CONFIG_DIR/secrets/auth-password.age") echo "Setting Fly.io secrets..." -SECRET_ARGS=( - "GIT_SSH_PRIVATE_KEY=$GIT_SSH_KEY" - "AUTH_USER=$AUTH_USER" - "AUTH_PASSWORD=$AUTH_PASSWORD" - "GIT_USER_EMAIL=$GIT_USER_EMAIL" - "GIT_USER_NAME=$GIT_USER_NAME" -) +# Keep multi-line secrets off stdin-based import. +# Note: flyctl currently only supports multi-line values via NAME=VALUE CLI args. +flyctl secrets set --stage -a "$FLY_APP" "GIT_SSH_PRIVATE_KEY=$GIT_SSH_KEY" # Use GIT_SYNC_REPOSITORIES (multi-repo) or GIT_SYNC_REPOSITORY (single repo) +GIT_SYNC_SECRET="" if [[ -n "${GIT_SYNC_REPOSITORIES:-}" ]]; then - SECRET_ARGS+=("GIT_SYNC_REPOSITORIES=$GIT_SYNC_REPOSITORIES") + GIT_SYNC_SECRET="GIT_SYNC_REPOSITORIES=$GIT_SYNC_REPOSITORIES" elif [[ -n "${GIT_SYNC_REPOSITORY:-}" ]]; then - SECRET_ARGS+=("GIT_SYNC_REPOSITORY=$GIT_SYNC_REPOSITORY") + GIT_SYNC_SECRET="GIT_SYNC_REPOSITORY=$GIT_SYNC_REPOSITORY" else echo "Error: Neither GIT_SYNC_REPOSITORIES nor GIT_SYNC_REPOSITORY set in config.env" exit 1 fi -flyctl secrets set "${SECRET_ARGS[@]}" --stage -a "$FLY_APP" +# flyctl secrets import reads NAME=VALUE pairs per-line; reject embedded newlines. +for v in AUTH_USER AUTH_PASSWORD GIT_USER_EMAIL GIT_USER_NAME GIT_SYNC_SECRET; do + if [[ "${!v}" == *$'\n'* ]]; then + echo "Error: $v contains a newline; cannot safely use flyctl secrets import" >&2 + exit 1 + fi +done + +flyctl secrets import --stage -a "$FLY_APP" <