From f0a38c955f283a5d67a9393bb1edac3986e7bf94 Mon Sep 17 00:00:00 2001
From: "every.channel" <founder@every.channel>
Date: Sun, 15 Feb 2026 16:20:31 -0500
Subject: [PATCH] chore: avoid hardcoded local secret file paths

---
 scripts/deploy-workers.sh | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/deploy-workers.sh b/scripts/deploy-workers.sh
index 6eef35b..9e60967 100755
--- a/scripts/deploy-workers.sh
+++ b/scripts/deploy-workers.sh
@@ -4,23 +4,23 @@ set -euo pipefail
 root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "${root}"
 
-# Load Cloudflare deploy credentials from the founder's Vault by default, but never commit secrets.
-# Override paths via EVERY_CHANNEL_CF_TOKEN_FILE / EVERY_CHANNEL_CF_ACCOUNT_FILE, or set env vars directly.
-token_file="${EVERY_CHANNEL_CF_TOKEN_FILE:-$HOME/Vault/Secrets/ecp-cf-token.txt}"
-account_file="${EVERY_CHANNEL_CF_ACCOUNT_FILE:-$HOME/Vault/Secrets/ecp-cf-account.txt}"
+# Optionally load Cloudflare deploy credentials from files (never commit these).
+# Prefer setting env vars directly in CI (`CLOUDFLARE_API_TOKEN`).
+token_file="${EVERY_CHANNEL_CF_TOKEN_FILE:-}"
+account_file="${EVERY_CHANNEL_CF_ACCOUNT_FILE:-}"
 
-if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -f "${token_file}" ]]; then
+if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -n "${token_file}" && -f "${token_file}" ]]; then
   export CLOUDFLARE_API_TOKEN
   CLOUDFLARE_API_TOKEN="$(cat "${token_file}")"
 fi
 
-if [[ -z "${CLOUDFLARE_ACCOUNT_ID:-}" && -f "${account_file}" ]]; then
+if [[ -z "${CLOUDFLARE_ACCOUNT_ID:-}" && -n "${account_file}" && -f "${account_file}" ]]; then
   export CLOUDFLARE_ACCOUNT_ID
   CLOUDFLARE_ACCOUNT_ID="$(cat "${account_file}")"
 fi
 
 if [[ -z "${CLOUDFLARE_API_TOKEN:-}" ]]; then
-  echo "error: CLOUDFLARE_API_TOKEN is not set (set env var or provide ${token_file})" >&2
+  echo "error: CLOUDFLARE_API_TOKEN is not set" >&2
   exit 2
 fi