Inject secrets

AndreasKoestler · AndreasKoestler · commit 6e9ea0954fc1 · 2025-12-01T10:36:07.000-05:00
diff --git a/.github/actions/cdk-synth/action.yaml b/.github/actions/cdk-synth/action.yaml
@@ -17,6 +17,10 @@ inputs:
     required: false
     description: An optional working directory where the CDK code is located
     default: ./
+  deploy-parameters:
+    required: false
+    description: Optional additional parameters for 'cdk-deploy'
+    default: ""
   python-version:
     description: The Python version to use
     required: false
@@ -53,4 +57,4 @@ runs:
       env:
         CDK_DEPLOY_ACCOUNT: ${{ inputs.account }}
         CDK_DEPLOY_REGION: ${{ inputs.region }}
-      run: cdk synth --exclusively ${{ inputs.stacks }}
+      run: cdk synth --exclusively ${{ inputs.stacks }} --require-approval never ${{ inputs.deploy-parameters }}
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -4,11 +4,11 @@ on:
     workflow_call:
         inputs:
           account:
-            required: true
+            required: false
             type: string
             default: "730335381248"
           region:
-            required: true
+            required: false
             type: string
             default: "ap-northeast-1"
 
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -4,11 +4,11 @@ on:
     workflow_call:
         inputs:
           account:
-            required: true
+            required: false
             type: string
             default: "730335381248"
           region:
-            required: true
+            required: false
             type: string
             default: "ap-northeast-1"
 
diff --git a/Dockerfile b/Dockerfile
@@ -8,8 +8,7 @@ ENV GIT_REPO_URL=${GIT_REPO_URL}
 ARG GIT_BRANCH
 ENV GIT_BRANCH=${GIT_BRANCH}
 
-RUN echo "GIT_REPO_URL: ${GIT_REPO_URL}"
-RUN echo "GIT_BRANCH: ${GIT_BRANCH}"
+RUN echo "Cache bust: ${RAILWAY_GIT_COMMIT_SHA}"
 
 # Copy the project files
 RUN apt-get update && apt-get install -y curl git bash 
@@ -34,7 +33,9 @@ RUN /root/.foundry/bin/forge build
 
 FROM --platform=${PLATFORM} debian:trixie-slim AS runtime
 
-RUN apt-get update && apt-get install -y adduser python3-full virtualenv && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y gnupg adduser python3-full virtualenv && rm -rf /var/lib/apt/lists/*
+RUN curl -Ls https://cli.doppler.com/install.sh | sh
+
 
 COPY --from=build /mewler-liquidation-bot /app
 
@@ -72,4 +73,4 @@ EXPOSE 8080
 
 # CMD ["python", "python/liquidation_bot.py"]
 # Run the application
-CMD [".venv/bin/gunicorn", "--bind", "0.0.0.0:8080", "application:application"]
+CMD ["doppler", "run", "--", ".venv/bin/gunicorn", "--bind", "0.0.0.0:8080", "application:application"]
diff --git a/Dockerfile.aws b/Dockerfile.aws
@@ -20,7 +20,8 @@ RUN /root/.foundry/bin/forge build
 
 FROM --platform=${PLATFORM} debian:trixie-slim AS runtime
 
-RUN apt-get update && apt-get install -y adduser python3-full virtualenv && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y gnupg adduser python3-full virtualenv && rm -rf /var/lib/apt/lists/*
+RUN curl -Ls https://cli.doppler.com/install.sh | sh
 
 COPY --from=build /app /app
 
@@ -60,4 +61,4 @@ EXPOSE 8080
 
 # CMD ["python", "python/liquidation_bot.py"]
 # Run the application
-CMD [".venv/bin/gunicorn", "--bind", "0.0.0.0:8080", "application:application"]
+CMD ["doppler", "run", "--", ".venv/bin/gunicorn", "--bind", "0.0.0.0:8080", "application:application"]
diff --git a/cdk/app.py b/cdk/app.py
@@ -25,24 +25,6 @@
     vpc_id="vpc-01e44f96507b5ea1b",
     cluster_name="hypurr-liquidator-cluster",
     secret_name=os.getenv("SECRET_NAME", "mewler-liquidation-bot/config"),
-    container_environment={
-        # Non-sensitive configuration values
-        # RPC URLs (can be overridden by secrets)
-        "MAINNET_RPC_URL": "https://eth-mainnet.g.alchemy.com/v2/FDD0XfX77DTxUk3qykJ3U",
-        "HYPEREVM_MAINNET_RPC_URL": "https://eth-mainnet.g.alchemy.com/v2/FDD0XfX77DTxUk3qykJ3U",
-        "BASE_RPC_URL": "https://eth-mainnet.g.alchemy.com/v2/FDD0XfX77DTxUk3qykJ3U",
-        "ARBITRUM_RPC_URL": "https://eth-mainnet.g.alchemy.com/v2/FDD0XfX77DTxUk3qykJ3U",
-        # GlueX API Configuration (can be overridden by secrets)
-        "GLUEX_API_URL": "https://router.gluex.xyz/v1/quote",
-        "GLUEX_UNIQUE_PID": "657a8d5a95d73a70a4b49319544a42ad61d689c83679fcfe6b80e8e9b51cfe2c",
-        "GLUEX_API_KEY": "SVQkMIOLo9O2NpA0xI0pQGPV1FYIYXmk",
-        ### OPTIONAL ###
-        # Slack webhook URL for sending notifications
-        "SLACK_WEBHOOK_URL": "https://hooks.slack.com/services/SLACK_KEY",
-        # URL for the liquidation UI, if including in the slack notification
-        "RISK_DASHBOARD_URL": "http://127.0.0.1:8080",
-        # Note: LIQUIDATOR_EOA and LIQUIDATOR_PRIVATE_KEY must be in Secrets Manager
-    },
 )
 
 app.synth()
diff --git a/cdk/mewler_liquidation_bot_stack.py b/cdk/mewler_liquidation_bot_stack.py
@@ -98,21 +98,17 @@ def __init__(
 
         env_vars = container_environment.copy() if container_environment else {}
 
-        secrets = {}
-        required_secret_keys = [
-            "LIQUIDATOR_EOA",
-            "LIQUIDATOR_PRIVATE_KEY",
-        ]
 
-        for key in required_secret_keys:
-            secrets[key] = ecs.Secret.from_secrets_manager(secret, key)
+        doppler_token = ecs.Secret.from_secrets_manager(secret, "DOPPLER_TOKEN")
 
         container = task_definition.add_container(
             "mewler-liquidation-bot",
             image=image,
             memory_limit_mib=2048,
             environment=env_vars if env_vars else None,
-            secrets=secrets if secrets else None,
+            secrets={
+                "DOPPLER_TOKEN": doppler_token,
+            },
             logging=ecs.LogDriver.aws_logs(
                 stream_prefix="mewler-liquidation-bot",
                 log_retention=logs.RetentionDays.THREE_DAYS,
