From 5cbf54443edde7173229fea0011ded8425edfded Mon Sep 17 00:00:00 2001
From: HiranoMasaaki <lambda.groove@gmail.com>
Date: Wed, 25 Feb 2026 13:56:59 +0000
Subject: [PATCH] ci: use separate API key secrets for production and staging
 workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- expert-cd.yml: PERSTACK_API_KEY → PERSTACK_PRODUCTION_API_KEY
- e2e.yml: PERSTACK_API_KEY → PERSTACK_STAGING_API_KEY

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/e2e.yml       | 2 +-
 .github/workflows/expert-cd.yml | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 2291092e..43c61b9b 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -79,7 +79,7 @@ jobs:
           EXA_API_KEY: ${{ secrets.EXA_API_KEY }}
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           GOOGLE_GENERATIVE_AI_API_KEY: ${{ secrets.GOOGLE_GENERATIVE_AI_API_KEY }}
-          PERSTACK_API_KEY: ${{ secrets.PERSTACK_API_KEY }}
+          PERSTACK_API_KEY: ${{ secrets.PERSTACK_STAGING_API_KEY }}
 
   # Gate job for branch protection: required check that passes when E2E is
   # skipped (non-release PRs) or when all matrix suites succeed.
diff --git a/.github/workflows/expert-cd.yml b/.github/workflows/expert-cd.yml
index f5f6bbb2..66f8e437 100644
--- a/.github/workflows/expert-cd.yml
+++ b/.github/workflows/expert-cd.yml
@@ -34,7 +34,7 @@ jobs:
         id: check
         run: |
           OUTPUT=$(bun ./apps/perstack/bin/cli.ts expert versions ${{ matrix.definition.name }} \
-            --api-key ${{ secrets.PERSTACK_API_KEY }} 2>&1) || true
+            --api-key ${{ secrets.PERSTACK_PRODUCTION_API_KEY }} 2>&1) || true
           echo "$OUTPUT"
           if echo "$OUTPUT" | grep -q "^  ${{ steps.version.outputs.version }}"; then
             echo "Version ${{ steps.version.outputs.version }} already exists — skipping"
@@ -48,7 +48,7 @@ jobs:
         if: steps.check.outputs.should-publish == 'true'
         run: |
           bun ./apps/perstack/bin/cli.ts expert publish ${{ matrix.definition.name }} \
-            --api-key ${{ secrets.PERSTACK_API_KEY }} || true
+            --api-key ${{ secrets.PERSTACK_PRODUCTION_API_KEY }} || true
 
       - name: Push to draft
         if: steps.check.outputs.should-publish == 'true'
@@ -56,7 +56,7 @@ jobs:
         run: |
           OUTPUT=$(bun ./apps/perstack/bin/cli.ts expert push ${{ matrix.definition.draft-id }} \
             --config ${{ matrix.definition.path }}/perstack.toml \
-            --api-key ${{ secrets.PERSTACK_API_KEY }})
+            --api-key ${{ secrets.PERSTACK_PRODUCTION_API_KEY }})
           echo "$OUTPUT"
           REF_ID=$(echo "$OUTPUT" | grep "Ref ID:" | awk '{print $3}')
           echo "ref-id=$REF_ID" >> "$GITHUB_OUTPUT"
@@ -69,4 +69,4 @@ jobs:
             ${{ steps.push.outputs.ref-id }} \
             ${{ steps.version.outputs.version }} \
             --tag latest \
-            --api-key ${{ secrets.PERSTACK_API_KEY }}
+            --api-key ${{ secrets.PERSTACK_PRODUCTION_API_KEY }}