fix: GitHub app auth env vars

[dkargatzis]

Summary by CodeRabbit

• Chores
  • Updated GitHub integration configuration naming conventions across deployment and application settings for consistency.
  • Standardized secret variable naming for GitHub App credentials in deployment workflows and configuration files.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub App secret handling has been standardized across the deployment pipeline. The APP_NAME_GITHUB value is now hardcoded to "watchflow", while CLIENT_ID_GITHUB and APP_CLIENT_SECRET are renamed to APP_CLIENT_ID_GITHUB and APP_CLIENT_SECRET_GITHUB respectively. Variable names and error messages are updated consistently across all configuration files.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/eks-deploy.yaml	Updated environment variable names for GitHub App secrets: replaced CLIENT_ID_GITHUB and APP_CLIENT_SECRET with APP_CLIENT_ID_GITHUB and APP_CLIENT_SECRET_GITHUB. Hardcoded APP_NAME_GITHUB to "watchflow". Updated corresponding Helm deployment parameters.
Helm Values Configuration helm-chart/values.yaml	Renamed secret keys: CLIENT_ID_GITHUB → APP_CLIENT_ID_GITHUB and APP_CLIENT_SECRET → APP_CLIENT_SECRET_GITHUB. Set APP_NAME_GITHUB to "watchflow".
Settings Validation src/core/config/settings.py	Updated error messages in validation to reflect renamed secret keys: "CLIENT_ID_GITHUB" → "APP_CLIENT_ID_GITHUB" and "APP_CLIENT_SECRET" → "APP_CLIENT_SECRET_GITHUB".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 Secrets renamed with care and grace,
APP_CLIENT_ID takes its place,
"watchflow" now stands bold and bright,
Consistency shines through the night!
✨🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: renaming and restructuring GitHub app authentication environment variables across workflow, Helm values, and config files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/github-app-auth-env-vars

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/eks-deploy.yaml:
- Around line 98-99: Replace all Helm flag usages that pass secrets with --set
(e.g., --set secrets.APP_CLIENT_ID_GITHUB, --set
secrets.APP_CLIENT_SECRET_GITHUB and other secrets.* occurrences) with
--set-string and quote the expansion so values are not type-coerced by Helm;
update each flag invocation (the occurrences of --set secrets.<KEY>) to use
--set-string 'secrets.<KEY>=${{ env.<ENV_VAR> }}' style quoting for every secret
passed in this Helm command.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 267e19f and 5435c37.

📒 Files selected for processing (3)

• .github/workflows/eks-deploy.yaml
• helm-chart/values.yaml
• src/core/config/settings.py

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

**/*.py

📄 CodeRabbit inference engine (.cursor/rules/guidelines.mdc)

**/*.py: Use modern typing only: dict[str, Any], list[str], str | None (no Dict, List, Optional)
GitHub/HTTP/DB calls must be async def; avoid blocking calls (time.sleep, sync HTTP) in async paths
All agent outputs and external payloads must use validated BaseModel from Pydantic
Use dataclasses for internal immutable state where appropriate
Use structured logging at boundaries with fields: operation, subject_ids, decision, latency_ms
Implement Agent pattern: single-responsibility agents with typed inputs/outputs
Use Decorator pattern for retries, metrics, caching as cross-cutting concerns
Agent outputs must include: decision, confidence (0..1), short reasoning, recommendations, strategy_used
Implement confidence policy: reject or route to human-in-the-loop when confidence < 0.5
Use minimal, step-driven prompts; provide Chain-of-Thought only for complexity > 0.7 or ambiguity > 0.6
Strip secrets/PII from agent prompts; scope tools; keep raw reasoning out of logs (store summaries only)
Cache idempotent lookups; lazy-import heavy dependencies; bound fan-out with asyncio.Semaphore
Avoid redundant LLM calls; memoize per event when safe
Use domain errors (e.g., AgentError) with error_type, message, context, timestamp, retry_count
Use exponential backoff for transient failures; circuit-break noisy integrations when needed
Fail closed for risky decisions; provide actionable remediation in error paths
Validate all external inputs; verify webhook signatures
Implement prompt-injection hardening; sanitize repository content passed to LLMs
Performance targets: Static validation ~<100ms typical, hybrid decisions sub-second when cache warm, budget LLM paths thoughtfully
Reject old typing syntax (Dict, List, Optional) in code review
Reject blocking calls in async code; reject bare except: clauses; reject swallowed errors
Reject LLM calls for trivial/deterministic checks
Reject unvalidated agent outputs and missing confidenc...

Files:

• src/core/config/settings.py

**/*.yaml

📄 CodeRabbit inference engine (.cursor/rules/guidelines.mdc)

Use YAML for rule configuration with natural-language descriptions; avoid hard-coded if/else in rule files

Files:

• helm-chart/values.yaml

🔇 Additional comments (3)

helm-chart/values.yaml (1)

103-105: GitHub secret key rename is consistent and correct.

This block now matches the new GitHub auth variable naming used across config and deployment.

src/core/config/settings.py (1)

129-132: Validation messages now correctly reference the active env vars.

Good alignment with the config keys actually read in Config.__init__, which avoids setup/debug confusion.

.github/workflows/eks-deploy.yaml (1)

36-39: Workflow env mapping for GitHub App credentials is aligned.

The new env names are consistent with the updated Helm values and Python settings.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's verify the current state of the file at lines 98-99
cat -n .github/workflows/eks-deploy.yaml | sed -n '90,110p'

Repository: warestack/watchflow

Length of output: 1648

---

🏁 Script executed:

# Run the provided verification commands
rg -n --type=yaml -C2 -- '--set\s+secrets\.[A-Z0-9_]+=' .github/workflows/eks-deploy.yaml
rg -n --type=yaml -- '--set-string\s+secrets\.[A-Z0-9_]+=' .github/workflows/eks-deploy.yaml || true

Repository: warestack/watchflow

Length of output: 996

---

🌐 Web query:

Helm --set vs --set-string security best practices for secrets

💡 Result:

What’s the difference?

• --set: Helm parses types (e.g., true→bool, 123→int).
• --set-string: Same as --set, but forces the value to be a string, preventing unwanted type coercion (useful for things that look like numbers/bools, IDs with leading zeros, etc.). Helm documents this directly: “to force string values, use --set-string”. [1]

Security reality for secrets (best practice)

For secrets, --set vs --set-string is mostly a correctness choice, not a meaningful security improvement:

• Both put the secret value into Helm’s computed values and (unless you take special measures) it becomes part of Helm’s release state.
• Helm’s own docs warn that release information includes chart contents and values files and “might contain sensitive data (like passwords, private keys…)” and must be protected via RBAC/encryption-at-rest considerations. [2]
• Practically, anyone with sufficient access can often retrieve sensitive Helm values (e.g., via helm get values / access to the release Secret), so passing secrets as values at all increases the blast radius. [3]

Recommended approaches (instead of --set/--set-string for secrets)

1. Prefer referencing an existing Kubernetes Secret (charts often support patterns like existingSecret, secretName, existingSecretKey, etc.), so the secret value isn’t carried around in Helm values/history.
2. If you must provide secret material as “values”, use encrypted secret values files (GitOps-friendly), e.g. SOPS + helm-secrets so the repository stores only ciphertext and decryption happens at deploy time. [4]
3. For products/charts that support it, store sensitive parameters in Kubernetes Secrets rather than inline values (vendor guidance commonly recommends this). [5]
4. If secrets ever land in Helm release state, lock down access to Secrets in that namespace and ensure Kubernetes encryption at rest is enabled (because Helm’s release state can contain sensitive values). [2][3]

If you still use CLI flags

• Use --set-string for any secret that could be mis-parsed (e.g., 007, true, 1234) to avoid breaking auth due to type coercion. [1]
• Prefer -f values.yaml over flags for anything sensitive/long-lived, and keep secret files encrypted (SOPS) or out of source control.

---

Sources

[1] Helm upgrade command docs (flags --set, --set-string, --set-file, etc.) (helm.sh)
[2] Helm “Advanced” topic: release info contains chart contents + values and may include sensitive data; RBAC/Secrets vs ConfigMaps notes (helm.sh)
[3] Google Cloud Community (Apigee Hybrid): sensitive Helm values visible via Helm release Secrets / helm get values; recommends restricting access (googlecloudcommunity.com)
[4] Baeldung: encrypting values with SOPS and using helm-secrets to deploy without exposing secrets in repo (baeldung.com)
[5] GitGuardian Helm install docs: favor Kubernetes Secrets over inline sensitive parameters (docs.gitguardian.com)

Citations:

• 1: https://helm.sh/docs/helm/helm_upgrade?utm_source=openai
• 2: https://helm.sh/docs/v3/topics/advanced/?utm_source=openai
• 3: https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/Apigee-Hybrid-Security-Best-Practices-Handling-Sensitive-Helm/ta-p/705316?utm_source=openai
• 4: https://www.baeldung.com/ops/helm-charts-best-practices?utm_source=openai
• 5: https://docs.gitguardian.com/self-hosting/installation/helm-secrets?utm_source=openai

---

Change all secret values to use --set-string to prevent type coercion.

Lines 97–104 pass multiple secrets using --set, which allows Helm to interpret values as booleans, numbers, or other types. If a secret value resembles a boolean (true, false) or number, Helm may reinterpret it, breaking authentication at deploy time. Use --set-string with quoted expansions instead.

Proposed fix

-            --set secrets.APP_NAME_GITHUB=${{ env.APP_NAME_GITHUB }} \
-            --set secrets.APP_CLIENT_ID_GITHUB=${{ env.APP_CLIENT_ID_GITHUB }} \
-            --set secrets.APP_CLIENT_SECRET_GITHUB=${{ env.APP_CLIENT_SECRET_GITHUB }} \
-            --set secrets.PRIVATE_KEY_BASE64_GITHUB=${{ env.PRIVATE_KEY_BASE64_GITHUB }} \
-            --set secrets.WEBHOOK_SECRET_GITHUB=${{ env.WEBHOOK_SECRET_GITHUB }} \
-            --set secrets.OPENAI_API_KEY=${{ env.OPENAI_API_KEY }} \
-            --set secrets.LANGCHAIN_API_KEY=${{ env.LANGCHAIN_API_KEY }} \
-            --set secrets.LANGCHAIN_PROJECT=${{ env.LANGCHAIN_PROJECT }} \
+            --set-string secrets.APP_NAME_GITHUB="${{ env.APP_NAME_GITHUB }}" \
+            --set-string secrets.APP_CLIENT_ID_GITHUB="${{ env.APP_CLIENT_ID_GITHUB }}" \
+            --set-string secrets.APP_CLIENT_SECRET_GITHUB="${{ env.APP_CLIENT_SECRET_GITHUB }}" \
+            --set-string secrets.PRIVATE_KEY_BASE64_GITHUB="${{ env.PRIVATE_KEY_BASE64_GITHUB }}" \
+            --set-string secrets.WEBHOOK_SECRET_GITHUB="${{ env.WEBHOOK_SECRET_GITHUB }}" \
+            --set-string secrets.OPENAI_API_KEY="${{ env.OPENAI_API_KEY }}" \
+            --set-string secrets.LANGCHAIN_API_KEY="${{ env.LANGCHAIN_API_KEY }}" \
+            --set-string secrets.LANGCHAIN_PROJECT="${{ env.LANGCHAIN_PROJECT }}" \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/eks-deploy.yaml around lines 98 - 99, Replace all Helm
flag usages that pass secrets with --set (e.g., --set
secrets.APP_CLIENT_ID_GITHUB, --set secrets.APP_CLIENT_SECRET_GITHUB and other
secrets.* occurrences) with --set-string and quote the expansion so values are
not type-coerced by Helm; update each flag invocation (the occurrences of --set
secrets.<KEY>) to use --set-string 'secrets.<KEY>=${{ env.<ENV_VAR> }}' style
quoting for every secret passed in this Helm command.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.

❌ Your patch status has failed because the patch coverage (0.0%) is below the target coverage (80.0%). You can increase the patch coverage or adjust the target coverage.
❌ Your project status has failed because the head coverage (68.7%) is below the target coverage (80.0%). You can increase the head coverage or adjust the target coverage.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

@@          Coverage Diff          @@
##            main     #53   +/-   ##
=====================================
  Coverage   68.7%   68.7%           
=====================================
  Files        154     154           
  Lines       9709    9709           
=====================================
  Hits        6677    6677           
  Misses      3032    3032           

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 267e19f...5435c37. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.