fix: pass runtime env vars to Vercel deploy

[saddlepaddle]

Summary

• Fixes critical Clerk auth error in production (Missing secretKey)
• Server-side environment variables were only available at build time, not runtime
• Added --env flags to vercel deploy commands to pass runtime variables to serverless functions

Test plan

• Verify marketing site loads without Clerk errors
• Verify auth works across all apps (web, api, admin, marketing)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Ensure required environment variables are forwarded to production and preview deployments so deployed services receive runtime configuration consistently across jobs.
  • Expanded deployment commands to propagate additional runtime variables for web, API, marketing, and admin deployments; deployment behavior and error handling remain unchanged.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@saddlepaddle has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 23 minutes and 3 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between ac3ea1c and f64be8c.

📒 Files selected for processing (2)

• .github/workflows/deploy-preview.yml (4 hunks)
• .github/workflows/deploy-production.yml (4 hunks)

Walkthrough

Added propagation of multiple environment variables into Vercel deploy commands in GitHub Actions for both production and preview workflows, injecting secrets and URLs (e.g., CLERK_, DATABASE_URL, BLOB_READ_WRITE_TOKEN, NEXT_PUBLIC_* ) into prebuilt deployments.

Changes

Cohort / File(s)	Change Summary
Production deployment workflow \.github/workflows/deploy-production.yml``	Injected environment variables into Vercel deploy commands for several deploy jobs (deploy-api, deploy-web, deploy-marketing, deploy-admin). Variables added include CLERK_SECRET_KEY, CLERK_WEBHOOK_SECRET, DATABASE_URL, DATABASE_URL_UNPOOLED, BLOB_READ_WRITE_TOKEN, NEXT_PUBLIC_WEB_URL, and NEXT_PUBLIC_ADMIN_URL as appropriate per job.
Preview deployment workflow \.github/workflows/deploy-preview.yml``	Expanded Vercel deploy commands to pass additional environment variables into prebuilt preview deployments, including CLERK_SECRET_KEY, CLERK_WEBHOOK_SECRET, DATABASE_URL, DATABASE_URL_UNPOOLED, BLOB_READ_WRITE_TOKEN, NEXT_PUBLIC_WEB_URL, and NEXT_PUBLIC_ADMIN_URL depending on the job.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Repetitive, configuration-only edits across two workflow files.
• Verify correct variable names, correct escaping/continuation in shell lines, and that no secrets are accidentally printed in logs.
• Confirm each deploy job receives the intended subset of variables.

Possibly related PRs

• fix(ci): add DATABASE_URL to deploy-api and parallelize deploys #331 — Adds DATABASE_URL and DATABASE_URL_UNPOOLED to Vercel deploy steps in workflows (closely related variable injections).
• fix: add missing env vars to production deploy workflow #345 — Adds BLOB_READ_WRITE_TOKEN and NEXT_PUBLIC_WEB_URL to deploy steps (overlapping environment additions).
• docs: update .env.example with all required variables #347 — Updates .env.example with CLERK, DATABASE, and blob-related variables (complements deployment injections).

Poem

🐇 I hop through YAML, secrets in tow,

envs stitched tight so deployments flow,
Keys and URLs tucked neat and warm,
Off to Vercel they leap in charm,
A rabbit's cheer for CI magic born.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides a summary and test plan but is missing several template sections including Related Issues, Type of Change, and Screenshots.	Complete the PR description by filling in all template sections: specify the Type of Change (Bug fix), add Related Issues links if available, and include the Additional Notes section.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: pass runtime env vars to Vercel deploy' is clear, specific, and directly summarizes the main change in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

Service	Status
Database (Neon)	✅

Thank you for your contribution! 🎉

---

Preview resources have been processed for cleanup

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/deploy-production.yml (1)

66-85: Possible missing runtime env: DATABASE_URL_UNPOOLED is set but not deployed
In deploy-api you export DATABASE_URL_UNPOOLED (Line 72) but don’t pass it via --env. If any runtime code expects it, this will remain broken.

           vercel deploy --prod --prebuilt --token="$VERCEL_TOKEN" \
             --env CLERK_SECRET_KEY="$CLERK_SECRET_KEY" \
             --env CLERK_WEBHOOK_SECRET="$CLERK_WEBHOOK_SECRET" \
             --env DATABASE_URL="$DATABASE_URL" \
+            --env DATABASE_URL_UNPOOLED="$DATABASE_URL_UNPOOLED" \
             --env BLOB_READ_WRITE_TOKEN="$BLOB_READ_WRITE_TOKEN"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4d15e65 and 3c81bc0.

📒 Files selected for processing (1)

• .github/workflows/deploy-production.yml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Deploy Web
• GitHub Check: Deploy Marketing
• GitHub Check: Deploy Docs
• GitHub Check: Deploy API
• GitHub Check: Deploy Admin
• GitHub Check: Build

🔇 Additional comments (5)

.github/workflows/deploy-production.yml (5)

130-132: Keep env propagation consistent (and quote values)
Same notes as API: quote values; also consider whether DATABASE_URL_UNPOOLED is required at runtime for Web (it’s present in env but not deployed).

-          vercel deploy --prod --prebuilt --token=$VERCEL_TOKEN \
-            --env CLERK_SECRET_KEY=$CLERK_SECRET_KEY \
-            --env DATABASE_URL=$DATABASE_URL
+          vercel deploy --prod --prebuilt --token="$VERCEL_TOKEN" \
+            --env CLERK_SECRET_KEY="$CLERK_SECRET_KEY" \
+            --env DATABASE_URL="$DATABASE_URL"

---

174-175: Marketing deploy: verify Clerk secret is actually needed server-side
If Marketing is purely static/CSR, injecting CLERK_SECRET_KEY is unnecessary risk; if there are serverless routes using Clerk server SDK, then this is correct—please confirm.

---

219-221: Admin deploy: same consistency/quoting + check DATABASE_URL_UNPOOLED
Quote values and confirm which DB URL variant Admin needs at runtime; right now only DATABASE_URL is deployed.

-          vercel deploy --prod --prebuilt --token=$VERCEL_TOKEN \
-            --env CLERK_SECRET_KEY=$CLERK_SECRET_KEY \
-            --env DATABASE_URL=$DATABASE_URL
+          vercel deploy --prod --prebuilt --token="$VERCEL_TOKEN" \
+            --env CLERK_SECRET_KEY="$CLERK_SECRET_KEY" \
+            --env DATABASE_URL="$DATABASE_URL"

---

81-85: Overall direction looks right for the reported “Missing secretKey” incident
The change matches the stated root cause (runtime envs missing in serverless). Once the flag semantics and completeness are verified, this should unblock production.

Also applies to: 130-132, 174-175, 219-221

---

81-85: Runtime environment variables with vercel deploy --prebuilt are correctly configured using --env
The --env flag (as used in lines 81–85) correctly sets environment variables for the runtime of the deployment (serverless functions and server-side code). This is the appropriate choice for passing secrets like CLERK_SECRET_KEY, DATABASE_URL, and BLOB_READ_WRITE_TOKEN at runtime; --env works as expected with the --prebuilt flag and does not require --build-env unless the values are needed during the build step itself.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Quote env values + consider CLI-arg secret exposure
Passing secrets as CLI args is workable but brittle; at minimum quote values (and ideally prefer storing secrets in Vercel project env vars so they aren’t present in command lines).

-          vercel deploy --prod --prebuilt --token=$VERCEL_TOKEN \
-            --env CLERK_SECRET_KEY=$CLERK_SECRET_KEY \
-            --env CLERK_WEBHOOK_SECRET=$CLERK_WEBHOOK_SECRET \
-            --env DATABASE_URL=$DATABASE_URL \
-            --env BLOB_READ_WRITE_TOKEN=$BLOB_READ_WRITE_TOKEN
+          vercel deploy --prod --prebuilt --token="$VERCEL_TOKEN" \
+            --env CLERK_SECRET_KEY="$CLERK_SECRET_KEY" \
+            --env CLERK_WEBHOOK_SECRET="$CLERK_WEBHOOK_SECRET" \
+            --env DATABASE_URL="$DATABASE_URL" \
+            --env BLOB_READ_WRITE_TOKEN="$BLOB_READ_WRITE_TOKEN"

🤖 Prompt for AI Agents

In .github/workflows/deploy-production.yml around lines 81 to 85, the workflow
is passing secrets directly as unquoted CLI environment arguments to the vercel
deploy command; at minimum wrap each env value in quotes (e.g., "--env
CLERK_SECRET_KEY=\"$CLERK_SECRET_KEY\"") to avoid word-splitting and shell
interpretation, and preferably stop passing secrets on the command line
altogether by provisioning those secrets as Vercel project/environment variables
(or using vercel's secure env APIs) and removing them from the CLI invocation so
secrets are not exposed in process lists or logs.