Fly deploy: stop double-escaping secret values#40
Merged
Conversation
The previous "Pull runtime secrets" step wrote KEY=VALUE entries with
printf '%q' (shell-quoted), then the "Stage Fly secrets" step read
them back and passed them to fly secrets set without re-evaluating
the quotes. The escape characters survived all the way to Fly's
storage, so INBOUND_PHONE_VOICE_MAP ended up as the literal string
{"+13143..."} (with backslashes), which the JSON parser rejected at
boot with "Invalid JSON: Unexpected token '\\'".
Fix: switch to NUL-separated KEY=VALUE pairs in a temp file. The
write side uses printf '%s=%s\0' and the read side uses
read -d '' to consume the NUL delimiter. Quote the array expansion
to keep each pair as one argv entry to flyctl. Result: values
arrive at Fly literally, no escapes.
This also removes the shellcheck SC2068 disable comment because the
quoting is now correct.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Boot logs from the last Fly machine showed:
The workflow's "Pull runtime secrets" step wrote KEY=VALUE entries with
printf '%q'(shell-quoted), then "Stage Fly secrets" read them back and passed them straight tofly secrets setwithout re-evaluating the quotes. The backslashes from%qsurvived all the way to Fly storage, then the app's JSON parser choked on them.Fix
Switch to NUL-separated KEY=VALUE pairs:
printf '%s=%s\0' "$name" "$value" >> $RUNNER_TEMP/secrets.binwhile IFS= read -r -d '' pair; do args+=("$pair"); donefly secrets set "${args[@]}"(quoted array, each pair = one argv entry)Values arrive at Fly literally, no escaping. Removes the shellcheck SC2068 disable comment because the quoting is now correct.
Test plan
Generated by Claude Code