From 7f562fe5feb672e139a38ed64449b43062326d8d Mon Sep 17 00:00:00 2001
From: Andrew Lavery <laverya@umich.edu>
Date: Thu, 26 Mar 2026 15:57:16 -0400
Subject: [PATCH] require the GITHUB_TOKEN and OP_SERVICE_ACCOUNT_PRODUCTION
 env vars before starting release process

---
 dagger/release.go | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/dagger/release.go b/dagger/release.go
index 3bf76aaf..e225a2c3 100644
--- a/dagger/release.go
+++ b/dagger/release.go
@@ -32,6 +32,11 @@ func (r *Replicated) Release(
 
 	githubToken *dagger.Secret,
 ) error {
+	// Check all required environment variables / secrets before starting work
+	if err := validateReleaseSecrets(ctx, githubToken, onePasswordServiceAccountProduction); err != nil {
+		return err
+	}
+
 	err := checkGitTree(ctx, source, githubToken)
 	if err != nil {
 		return errors.Wrap(err, "failed to check git tree")
@@ -213,6 +218,40 @@ func (r *Replicated) Release(
 	return nil
 }
 
+func validateReleaseSecrets(ctx context.Context, githubToken, onePasswordServiceAccountProduction *dagger.Secret) error {
+	var missing []string
+
+	if githubToken == nil {
+		missing = append(missing, "GITHUB_TOKEN")
+	} else {
+		gt, err := githubToken.Plaintext(ctx)
+		if err != nil {
+			return errors.Wrap(err, "failed to read GITHUB_TOKEN secret")
+		}
+		if strings.TrimSpace(gt) == "" {
+			missing = append(missing, "GITHUB_TOKEN")
+		}
+	}
+
+	if onePasswordServiceAccountProduction == nil {
+		missing = append(missing, "OP_SERVICE_ACCOUNT_PRODUCTION")
+	} else {
+		op, err := onePasswordServiceAccountProduction.Plaintext(ctx)
+		if err != nil {
+			return errors.Wrap(err, "failed to read OP_SERVICE_ACCOUNT_PRODUCTION secret")
+		}
+		if strings.TrimSpace(op) == "" {
+			missing = append(missing, "OP_SERVICE_ACCOUNT_PRODUCTION")
+		}
+	}
+
+	if len(missing) > 0 {
+		return fmt.Errorf("required environment variables are not set: %s", strings.Join(missing, ", "))
+	}
+
+	return nil
+}
+
 func getNextVersion(ctx context.Context, latestVersion string, version string) (int64, int64, int64, error) {
 	parsedLatestVersion, err := semver.NewVersion(latestVersion)
 	if err != nil {