firebase-tools icon indicating copy to clipboard operation
firebase-tools copied to clipboard
verified publisher icon firebase

Fix non-interactive deployment failure when secrets exist in Secret Manager

Open TorbenWetter opened this issue 2 months ago • 1 comments

Fixes #9368

Problem

PR #9335 added a check that fails deployments in non-interactive mode (e.g., GitHub Actions, CI/CD) when secrets are required. However, it didn't verify whether those secrets already exist in Secret Manager, causing deployments to fail even when all secrets were properly configured.

Solution

This PR modifies the non-interactive mode check to query Secret Manager before throwing an error. It checks if each required secret exists using secretManager.getSecretMetadata(). Only truly missing secrets will cause the deployment to fail.

Changes

  • Modified src/deploy/functions/params.ts to check Secret Manager for existing secrets before throwing non-interactive error
  • Added comprehensive unit tests covering all scenarios:
    • Secrets that exist in Secret Manager: deployment succeeds
    • Secrets that don't exist: deployment fails with helpful error
    • Mixed scenario: only missing secrets are reported in error
    • JSON secrets: error includes correct format flag
  • Updated CHANGELOG.md

Testing

  • Added 4 new unit tests in src/deploy/functions/params.spec.ts
  • All new tests pass locally
  • No new lint errors introduced
  • Backward compatible - maintains the same helpful error messages for actually missing secrets

Impact

This fix allows non-interactive deployments (CI/CD pipelines) to succeed when secrets are already configured in Secret Manager, while still providing helpful error messages when secrets are truly missing.

TorbenWetter avatar Oct 23 '25 09:10 TorbenWetter

Summary of Changes

Hello @TorbenWetter, I'm Gemini Code Assist[^1]! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue where non-interactive deployments, such as those in CI/CD pipelines, would erroneously fail when secrets were required, even if those secrets were already properly configured in Secret Manager. The fix introduces a pre-check that verifies the existence of required secrets in Secret Manager, ensuring that deployments only halt for truly missing secrets and providing accurate error messages when necessary. This significantly improves the reliability of automated deployment workflows involving secrets.

Highlights

  • Problem Addressed: Previously, non-interactive deployments (e.g., CI/CD) would fail if secrets were required, even if those secrets already existed in Secret Manager. This was due to a check that didn't verify the secrets' presence.
  • Solution Implemented: The non-interactive deployment check now queries Secret Manager for each required secret. Deployments will only fail if secrets are genuinely missing, allowing pre-configured secrets to pass the check.
  • Comprehensive Testing: New unit tests have been added to cover various scenarios, including secrets existing, secrets missing, mixed scenarios, and correct error formatting for JSON secrets.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with :thumbsup: and :thumbsdown: on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

[^1]: Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot] avatar Oct 23 '25 09:10 gemini-code-assist[bot]