fix(ci): stop aliasing RAILWAY_API_TOKEN to RAILWAY_TOKEN

[mmabrouk]

Summary

Restore Railway preview CI by removing a token env-var aliasing that was added in c0baede6f ("some clean-up", May 19) and silently broke every preview run since.

• File: hosting/railway/oss/scripts/preview-resolve-env.sh
• Removed 4 lines that copied RAILWAY_API_TOKEN into RAILWAY_TOKEN.

What happened

The Railway CLI exposes two different env vars that look interchangeable but are not (per docs.railway.com/guides/cli):

Env var	Token kind	Scope
RAILWAY_TOKEN	Project token	project-scoped commands only
RAILWAY_API_TOKEN	Account / workspace token	project list, project init, whoami, etc.

Our preview scripts (bootstrap.sh, configure.sh, deploy-from-images.sh, ...) need account-level access because they enumerate and create Railway projects. Commit 6952242c5 (Feb 2026) deliberately switched the CI workflows from RAILWAY_TOKEN to RAILWAY_API_TOKEN for that reason:

# .github/workflows/41-railway-setup.yml
env:
  RAILWAY_API_TOKEN: ${{ secrets.RAILWAY_TOKEN }}   # secret holds an account token

On 2026-05-19 at 14:44 UTC, commit c0baede6f ("some clean-up") added this block at the top of preview-resolve-env.sh:

if [ -z \"${RAILWAY_TOKEN:-}\" ] && [ -n \"${RAILWAY_API_TOKEN:-}\" ]; then
    export RAILWAY_TOKEN=\"$RAILWAY_API_TOKEN\"
fi

That re-creates the very collision 6952242c5 fixed. When both vars are set to the same account token, the CLI prioritises RAILWAY_TOKEN (= project token semantics), and every account-level call returns:

Unauthorized. Please check that your RAILWAY_TOKEN is valid and has access to the resource you're trying to use.

Reproduction against Railway (using a known-good account token):

$ RAILWAY_API_TOKEN=<acct> railway whoami
Logged in as Mahmoud Mabrouk (mahmoud@agenta.ai) 👋

$ RAILWAY_TOKEN=<acct> railway whoami
Unauthorized. Please check that your RAILWAY_TOKEN is valid …

$ RAILWAY_API_TOKEN=<acct> RAILWAY_TOKEN=<acct> railway whoami
Failed to fetch: error decoding response body

$ RAILWAY_API_TOKEN=<acct> RAILWAY_TOKEN=<acct> railway project list --json
Unauthorized. …

The CI failure timeline confirms it:

• Last green run of 14-check-pr-preview.yml: 2026-05-19 16:42 UTC (on a branch that pre-dated the bad commit in its merge base)
• First failure: 2026-05-19 17:11 UTC — and every run since fails identically on the setup / setup job, regardless of branch contents
• Failing log line: Railway authentication failed. The token appears to be invalid or revoked. from require_railway_auth in bootstrap.sh

The GitHub secret itself is fine — the token I tested locally returns the right user and lists agenta-oss-pr-* projects in the Agenta workspace. The bug was entirely in the script.

Fix

Drop the aliasing. The workflow already exports the correct env (RAILWAY_API_TOKEN), and the rest of the scripts already check both vars in require_railway_auth so nothing else needs to change. Local invocations should set RAILWAY_API_TOKEN (already documented in hosting/railway/oss/README.md).

Test plan

• CI run of 14-check-pr-preview.yml on this PR completes the setup / setup job (i.e. railway whoami succeeds inside bootstrap.sh).
• deploy and tests jobs run to completion (they were skipped while setup failed).
• Local sanity: RAILWAY_API_TOKEN=<acct> source hosting/railway/oss/scripts/preview-resolve-env.sh && railway whoami returns Logged in as ….

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	May 21, 2026 9:31am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c4e5269e-e374-42fb-94f6-f61c3b06c71b

📥 Commits

Reviewing files that changed from the base of the PR and between 8925130 and 06c2b97.

📒 Files selected for processing (1)

• hosting/railway/oss/scripts/lib.sh

💤 Files with no reviewable changes (1)

• hosting/railway/oss/scripts/lib.sh

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Removed environment variable fallback behavior for preview environment configuration.
  • As a result, preview environment resolution will no longer substitute a secondary token when the primary token is missing.
  • This may require explicit configuration of preview credentials in environments where implicit fallbacks were previously relied upon.

Walkthrough

The PR removes the conditional fallback that previously exported RAILWAY_TOKEN from RAILWAY_API_TOKEN during preview environment initialization; the rest of the preview project/key/image resolution logic is unchanged.

Changes

Environment Variable Resolution

Layer / File(s)	Summary
Remove RAILWAY_TOKEN fallback hosting/railway/oss/scripts/preview-resolve-env.sh	Deletes conditional logic that aliased RAILWAY_TOKEN to RAILWAY_API_TOKEN when unset; preview project and key computation continues as before.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: removing the aliasing of RAILWAY_API_TOKEN to RAILWAY_TOKEN, which is the core fix addressing the CI preview failures.
Description check	✅ Passed	The description is comprehensively related to the changeset, providing detailed context about the two distinct Railway env vars, the bug timeline, reproduction steps, and the fix rationale.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/railway-token-env-collision

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR aims to restore Railway preview CI authentication by removing an environment-variable alias that copied RAILWAY_API_TOKEN into RAILWAY_TOKEN, which can break account-level Railway CLI commands.

Changes:

• Removed the RAILWAY_API_TOKEN → RAILWAY_TOKEN export block from the preview env resolution script.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Railway Preview Environment

Status	Destroyed (PR closed)

Updated at 2026-05-21T09:47:27.980Z