chore: avoid hardcoded local secret file paths

scripts/deploy-workers.sh

@@ -4,23 +4,23 @@ set -euo pipefail
 root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "${root}"
 
-# Load Cloudflare deploy credentials from the founder's Vault by default, but never commit secrets.
+# Optionally load Cloudflare deploy credentials from files (never commit these).
-# Override paths via EVERY_CHANNEL_CF_TOKEN_FILE / EVERY_CHANNEL_CF_ACCOUNT_FILE, or set env vars directly.
+# Prefer setting env vars directly in CI (`CLOUDFLARE_API_TOKEN`).
-token_file="${EVERY_CHANNEL_CF_TOKEN_FILE:-$HOME/Vault/Secrets/ecp-cf-token.txt}"
+token_file="${EVERY_CHANNEL_CF_TOKEN_FILE:-}"
-account_file="${EVERY_CHANNEL_CF_ACCOUNT_FILE:-$HOME/Vault/Secrets/ecp-cf-account.txt}"
+account_file="${EVERY_CHANNEL_CF_ACCOUNT_FILE:-}"
 
-if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -f "${token_file}" ]]; then
+if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -n "${token_file}" && -f "${token_file}" ]]; then
   export CLOUDFLARE_API_TOKEN
   CLOUDFLARE_API_TOKEN="$(cat "${token_file}")"
 fi
 
-if [[ -z "${CLOUDFLARE_ACCOUNT_ID:-}" && -f "${account_file}" ]]; then
+if [[ -z "${CLOUDFLARE_ACCOUNT_ID:-}" && -n "${account_file}" && -f "${account_file}" ]]; then
   export CLOUDFLARE_ACCOUNT_ID
   CLOUDFLARE_ACCOUNT_ID="$(cat "${account_file}")"
 fi
 
 if [[ -z "${CLOUDFLARE_API_TOKEN:-}" ]]; then
-  echo "error: CLOUDFLARE_API_TOKEN is not set (set env var or provide ${token_file})" >&2
+  echo "error: CLOUDFLARE_API_TOKEN is not set" >&2
   exit 2
 fi