managarten/manadeck/backend/setup-github-secrets.sh

#!/bin/bash
# Script to generate values for GitHub Secrets
# Run this script and copy the outputs to GitHub repository secrets

set -e

# Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

echo "=========================================="
echo "GitHub Secrets Setup for Manadeck Backend"
echo "=========================================="
echo ""

PROJECT_ID="memo-2c4c4"
SA_NAME="manadeck-backend-sa"
SA_EMAIL="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

# Check if service account exists
echo "Checking if service account exists..."
if gcloud iam service-accounts describe $SA_EMAIL --project=$PROJECT_ID &> /dev/null; then
    echo -e "${GREEN}✓${NC} Service account exists: $SA_EMAIL"
else
    echo -e "${YELLOW}⚠${NC} Service account not found. Creating..."

    # Create service account
    gcloud iam service-accounts create $SA_NAME \
      --display-name="Manadeck Backend Service Account" \
      --project=$PROJECT_ID

    echo -e "${GREEN}✓${NC} Service account created"

    # Grant required roles
    echo "Granting required roles..."

    gcloud projects add-iam-policy-binding $PROJECT_ID \
      --member="serviceAccount:${SA_EMAIL}" \
      --role="roles/run.admin" \
      --condition=None

    gcloud projects add-iam-policy-binding $PROJECT_ID \
      --member="serviceAccount:${SA_EMAIL}" \
      --role="roles/iam.serviceAccountUser" \
      --condition=None

    gcloud projects add-iam-policy-binding $PROJECT_ID \
      --member="serviceAccount:${SA_EMAIL}" \
      --role="roles/artifactregistry.writer" \
      --condition=None

    echo -e "${GREEN}✓${NC} Roles granted"
fi

echo ""
echo "=========================================="
echo "GitHub Secret #1: CLOUD_RUN_SERVICE_ACCOUNT"
echo "=========================================="
echo ""
echo -e "${BLUE}Copy this value:${NC}"
echo ""
echo "$SA_EMAIL"
echo ""
echo "Add to GitHub: Settings → Secrets → Actions → New repository secret"
echo "Name: CLOUD_RUN_SERVICE_ACCOUNT"
echo "Value: $SA_EMAIL"
echo ""
read -p "Press Enter when you've added CLOUD_RUN_SERVICE_ACCOUNT to GitHub..."

echo ""
echo "=========================================="
echo "GitHub Secret #2: GCP_SA_KEY_PROD"
echo "=========================================="
echo ""

# Check if key file already exists
KEY_FILE="manadeck-sa-key.json"
if [ -f "$KEY_FILE" ]; then
    echo -e "${YELLOW}⚠${NC} Key file already exists: $KEY_FILE"
    read -p "Do you want to create a new key? (y/N): " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        echo "Using existing key file..."
    else
        rm "$KEY_FILE"
        echo "Creating new service account key..."
        gcloud iam service-accounts keys create $KEY_FILE \
          --iam-account=$SA_EMAIL \
          --project=$PROJECT_ID
        echo -e "${GREEN}✓${NC} New key created"
    fi
else
    echo "Creating service account key..."
    gcloud iam service-accounts keys create $KEY_FILE \
      --iam-account=$SA_EMAIL \
      --project=$PROJECT_ID
    echo -e "${GREEN}✓${NC} Key created"
fi

echo ""
echo -e "${BLUE}Copy the ENTIRE JSON content below:${NC}"
echo ""
echo "=========================================="
cat $KEY_FILE
echo "=========================================="
echo ""
echo "Add to GitHub: Settings → Secrets → Actions → New repository secret"
echo "Name: GCP_SA_KEY_PROD"
echo "Value: [paste the entire JSON above]"
echo ""
read -p "Press Enter when you've added GCP_SA_KEY_PROD to GitHub..."

echo ""
echo "=========================================="
echo "GitHub Secret #3: GH_PERSONAL_TOKEN"
echo "=========================================="
echo ""
echo -e "${YELLOW}This token is needed to access private GitHub packages${NC}"
echo ""
echo "Steps to create:"
echo "1. Go to: https://github.com/settings/tokens"
echo "2. Click 'Generate new token (classic)'"
echo "3. Name: 'Manadeck CI/CD'"
echo "4. Select scope: 'repo' (Full control of private repositories)"
echo "5. Click 'Generate token'"
echo "6. Copy the token"
echo ""
echo "Add to GitHub: Settings → Secrets → Actions → New repository secret"
echo "Name: GH_PERSONAL_TOKEN"
echo "Value: [paste your GitHub token]"
echo ""
read -p "Press Enter when you've added GH_PERSONAL_TOKEN to GitHub..."

# Cleanup
echo ""
echo "=========================================="
echo "Cleanup"
echo "=========================================="
echo ""
echo -e "${YELLOW}⚠${NC} Security best practice: Delete the local key file"
echo "The key file contains sensitive credentials and should not be kept locally."
echo ""
read -p "Delete $KEY_FILE now? (Y/n): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Nn]$ ]]; then
    rm -f $KEY_FILE
    echo -e "${GREEN}✓${NC} Key file deleted"
else
    echo -e "${YELLOW}⚠${NC} Key file kept: $KEY_FILE"
    echo "   Remember to delete it manually when done!"
fi

echo ""
echo "=========================================="
echo "✅ Setup Complete!"
echo "=========================================="
echo ""
echo "Summary of GitHub Secrets:"
echo "1. ✓ CLOUD_RUN_SERVICE_ACCOUNT = $SA_EMAIL"
echo "2. ✓ GCP_SA_KEY_PROD = [JSON key from service account]"
echo "3. ✓ GH_PERSONAL_TOKEN = [Your GitHub Personal Access Token]"
echo ""
echo "Next steps:"
echo "1. Verify all 3 secrets are in GitHub: https://github.com/Memo-2023/manadeck/settings/secrets/actions"
echo "2. Run: ./create-secrets.sh (to set up GCP secrets)"
echo "3. Push to main branch to trigger deployment"
echo ""
echo "Documentation:"
echo "- DEPLOYMENT_CHECKLIST.md - Complete setup guide"
echo "- DEPLOY_MANUAL.md - Detailed deployment docs"
echo ""