fix: revert logic to abort function deploys in non-interactive mode when secrets are missing

CHANGELOG.md

@@ -1 +1,2 @@
-- Added 'hosting' to the 'firebase_init' MCP tool.
+- Added 'hosting' to the 'firebase_init' MCP tool (#9375)
+- Revert logic to abort function deploys in non-interactive mode when secrets are missing. (#9378)

src/deploy/functions/params.spec.ts

@@ -3,6 +3,8 @@
 
 import * as prompt from "../../prompt";
 import * as params from "./params";
+import * as secretManager from "../../gcp/secretManager";
+import { FirebaseError } from "../../error";
 
 const expect = chai.expect;
 const fakeConfig = {
@@ -214,7 +216,7 @@
     ];
     input.resolves("baz");
     await params.resolveParams(paramsToResolve, fakeConfig, {});
     expect(input.getCall(1).args[0].default).to.eq("baz");
   });
 
   it("can resolve a CEL expression containing only identities", async () => {
@@ -234,7 +236,7 @@
     ];
     input.resolves("baz");
     await params.resolveParams(paramsToResolve, fakeConfig, {});
     expect(input.getCall(1).args[0].default).to.eq("baz/quox");
   });
 
   it("can resolve a CEL expression depending on the internal params", async () => {
@@ -260,9 +262,9 @@
     ];
     input.resolves("baz");
     await params.resolveParams(paramsToResolve, fakeConfig, {});
     expect(input.getCall(0).args[0].default).to.eq("https://foo.firebaseio.com/quox");
     expect(input.getCall(1).args[0].default).to.eq("projectID: foo");
     expect(input.getCall(2).args[0].default).to.eq(
       "http://foo.appspot.com.storage.googleapis.com/",
     );
   });
@@ -298,4 +300,30 @@
     input.resolves("22");
     await expect(params.resolveParams(paramsToResolve, fakeConfig, {})).to.eventually.be.rejected;
   });
+
+  it("does not throw in non-interactive mode if secret exists in cloud", async () => {
+    const paramsToResolve: params.Param[] = [{ name: "MY_SECRET", type: "secret" }];
+    const getSecretMetadataStub = sinon.stub(secretManager, "getSecretMetadata").resolves({
+      secret: { name: "MY_SECRET", projectId: "foo", labels: {}, replication: {} },
+      secretVersion: { versionId: "1", state: "ENABLED", secret: {} as any },
+    });
+
+    await expect(params.resolveParams(paramsToResolve, fakeConfig, {}, true)).to.be.fulfilled;
+
+    getSecretMetadataStub.restore();
+  });
+
+  it("throws in non-interactive mode if secret is missing in cloud", async () => {
+    const paramsToResolve: params.Param[] = [{ name: "MY_SECRET", type: "secret" }];
+    const getSecretMetadataStub = sinon.stub(secretManager, "getSecretMetadata").resolves({
+      secret: undefined,
+    });
+
+    await expect(params.resolveParams(paramsToResolve, fakeConfig, {}, true)).to.be.rejectedWith(
+      FirebaseError,
+      /In non-interactive mode but have no value for the secret/,
+    );
+
+    getSecretMetadataStub.restore();
+  });
 });

src/deploy/functions/params.ts

@@ -272,7 +272,7 @@
     return pv;
   }
 
   setDelimiter(delimiter: string) {
     this.delimiter = delimiter;
   }
 
@@ -299,7 +299,7 @@
     if (this.rawValue.includes("[")) {
       // Convert quotes to apostrophes
       const unquoted = this.rawValue.replace(/'/g, '"');
       return JSON.parse(unquoted);
     }
 
     // Continue to handle something like "a,b,c"
@@ -395,26 +395,10 @@
 
   const [needSecret, needPrompt] = partition(outstanding, (param) => param.type === "secret");
 
-  // Check for missing secrets in non-interactive mode
-  if (nonInteractive && needSecret.length > 0) {
-    const secretNames = needSecret.map((p) => p.name).join(", ");
-    const commands = needSecret
-      .map(
-        (p) =>
-          `\tfirebase functions:secrets:set ${p.name}${(p as SecretParam).format === "json" ? " --format=json --data-file <file.json>" : ""}`,
-      )
-      .join("\n");
-    throw new FirebaseError(
-      `In non-interactive mode but have no value for the following secrets: ${secretNames}\n\n` +
-        "Set these secrets before deploying:\n" +
-        commands,
-    );
-  }
-
   // The functions emulator will handle secrets
   if (!isEmulator) {
     for (const param of needSecret) {
-      await handleSecret(param as SecretParam, firebaseConfig.projectId);
+      await handleSecret(param as SecretParam, firebaseConfig.projectId, nonInteractive);
     }
   }
 
@@ -434,7 +418,7 @@
     }
     if (paramDefault && !canSatisfyParam(param, paramDefault)) {
       throw new FirebaseError(
         "Parameter " + param.name + " has default value " + paramDefault + " of wrong type",
       );
     }
     paramValues[param.name] = await promptParam(param, firebaseConfig.projectId, paramDefault);
@@ -481,9 +465,20 @@
  * to read its environment variables. They are instead provided through GCF's own
  * Secret Manager integration.
  */
-async function handleSecret(secretParam: SecretParam, projectId: string): Promise<void> {
+async function handleSecret(
+  secretParam: SecretParam,
+  projectId: string,
+  nonInteractive?: boolean,
+): Promise<void> {
   const metadata = await secretManager.getSecretMetadata(projectId, secretParam.name, "latest");
   if (!metadata.secret) {
+    if (nonInteractive) {
+      throw new FirebaseError(
+        `In non-interactive mode but have no value for the secret: ${secretParam.name}\n\n` +
+          "Set this secret before deploying:\n" +
+          `\tfirebase functions:secrets:set ${secretParam.name}${secretParam.format === "json" ? " --format=json --data-file <file.json>" : ""}`,
+      );
+    }
     const promptMessage = `This secret will be stored in Cloud Secret Manager (https://cloud.google.com/secret-manager/pricing) as ${
       secretParam.name
     }. Enter ${secretParam.format === "json" ? "a JSON value" : "a value"} for ${