fix(infra): dynamic credential path and upgrade CI actions to Node.js 24

ImTotem · claude · ImTotem · commit 2a17155d0765 · 2026-03-12T12:42:33.000+09:00
- deploy.sh reads GOOGLE_SERVICE_ACCOUNT_FILE from .env instead of hardcoded credentials.json
- docker-compose volume mount uses GOOGLE_SERVICE_ACCOUNT_FILE env var
- Upgrade actions/checkout@v6, actions/setup-python@v6 (Node.js 24)

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -14,9 +14,9 @@ jobs:
     permissions:
       checks: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.12"
           cache: "pip"
@@ -31,9 +31,9 @@ jobs:
     permissions:
       checks: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.12"
           cache: "pip"
diff --git a/infra/docker/docker-compose.yml b/infra/docker/docker-compose.yml
@@ -7,7 +7,7 @@ services:
     env_file:
       - ../../.env
     volumes:
-      - ../../credentials.json:/app/credentials.json:ro
+      - ../../${GOOGLE_SERVICE_ACCOUNT_FILE}:/app/${GOOGLE_SERVICE_ACCOUNT_FILE}:ro
     expose:
       - "8000"
     command: ["uvicorn", "bcsd_api.main:app", "--host", "0.0.0.0", "--port", "8000", "--timeout-graceful-shutdown", "${GRACEFUL_TIMEOUT}"]
diff --git a/infra/scripts/deploy.sh b/infra/scripts/deploy.sh
@@ -35,8 +35,14 @@ check_credentials() {
         echo "FAIL: .env not found (CI/CD should have uploaded it)"
         exit 1
     fi
-    if [ ! -f credentials.json ]; then
-        echo "FAIL: credentials.json not found (CI/CD should have uploaded it)"
+    local sa_file
+    sa_file=$(grep -m1 '^GOOGLE_SERVICE_ACCOUNT_FILE=' .env | cut -d= -f2-)
+    if [ -z "$sa_file" ]; then
+        echo "FAIL: GOOGLE_SERVICE_ACCOUNT_FILE not set in .env"
+        exit 1
+    fi
+    if [ ! -f "$sa_file" ]; then
+        echo "FAIL: $sa_file not found (CI/CD should have uploaded it)"
         exit 1
     fi
 }
