From cc423053e930229a768b35e5640424d26f22f272 Mon Sep 17 00:00:00 2001
From: whekin <stanislavkalishin@gmail.com>
Date: Mon, 16 Mar 2026 04:05:31 +0400
Subject: [PATCH] fix(cd): simplify webhook secret loading and add error
 checking

---
 .github/workflows/cd.yml | 27 +++++++++++----------------
 1 file changed, 11 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 55f9400..391974a 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -230,35 +230,30 @@ jobs:
       - name: Load webhook secret
         id: webhook-secret
         run: |
-          set +e
           secret_name="telegram-webhook-secret"
           if [[ "${SERVICE_SUFFIX}" == "dev" ]]; then
             secret_name="telegram-webhook-secret-test"
           fi
+
+          echo "Loading secret: ${secret_name}"
           secret="$(gcloud secrets versions access latest \
             --secret "${secret_name}" \
-            --project "${{ vars.GCP_PROJECT_ID }}" 2>/dev/null)"
-          status=$?
-          set -e
+            --project "${{ vars.GCP_PROJECT_ID }}")"
 
-          if [[ $status -eq 0 && -n "$secret" ]]; then
-            echo "::add-mask::$secret"
-            {
-              echo "available=true"
-              echo "secret<<EOF"
-              echo "$secret"
-              echo "EOF"
-            } >> "$GITHUB_OUTPUT"
-          else
-            echo "available=false" >> "$GITHUB_OUTPUT"
-          fi
+          echo "::add-mask::$secret"
+          echo "secret=${secret}" >> "$GITHUB_OUTPUT"
 
       - name: Set Telegram Webhook
-        if: ${{ steps.telegram-token.outputs.available == 'true' && steps.webhook-secret.outputs.available == 'true' }}
+        if: ${{ !cancelled() && steps.telegram-token.outputs.available == 'true' }}
         env:
           TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
           TELEGRAM_WEBHOOK_SECRET: ${{ steps.webhook-secret.outputs.secret }}
         run: |
+          if [[ -z "$TELEGRAM_WEBHOOK_SECRET" ]]; then
+            echo "ERROR: TELEGRAM_WEBHOOK_SECRET is not set"
+            exit 1
+          fi
+
           SERVICE_URL=$(gcloud run services describe "household-${SERVICE_SUFFIX}-bot-api" \
             --region "${GCP_REGION}" \
             --project "${{ vars.GCP_PROJECT_ID }}" \