Add nightly Vercel env var drift detection workflow

[kilo-code-bot]

Summary

• Adds a nightly GitHub Actions workflow (.github/workflows/verify-vercel-env-vars.yml) that compares environment variable keys across three Vercel projects (kilocode-app, kilocode-global-app, kilocode-gateway) for each target environment (production, preview, development).
• Posts a Slack alert via incoming webhook when env vars exist in some projects but not all, preventing silent configuration drift.
• Includes an ignore list for Vercel-managed automatic env vars (e.g. VERCEL_URL, VERCEL_GIT_*) that are expected to differ.

How it works

1. Runs at 6 AM UTC daily (also supports manual workflow_dispatch trigger).
2. Fetches env vars from the Vercel API for all three projects (handles pagination).
3. For each target (production/preview/development), computes the union of all keys and identifies any that are missing from one or more projects.
4. If mismatches are found, sends a Slack message listing each drifted variable and which projects are missing it, with a link to the workflow run.
5. The workflow always succeeds (green) — drift is reported via Slack, not as a CI failure.

Required secrets

Secret	Description
VERCEL_TOKEN	Vercel API token with read access to all three projects
VERCEL_TEAM_ID	Vercel team/org ID
SLACK_ENV_DRIFT_WEBHOOK_URL	Slack incoming webhook URL for drift alerts

---

Built for Remon Oldenbeuving by Kilo for Slack

[kilo-code-bot]

[WARNING]: Missing guard for VERCEL_TEAM_ID

If the VERCEL_TEAM_ID secret is not configured, process.env.VERCEL_TEAM_ID will be undefined, and url.searchParams.set("teamId", undefined) will set the query parameter to the literal string "undefined". This could cause the Vercel API to return an error or unexpected results.

The file header (line 8) implies this is conditionally needed ("if projects are under a team"), but there's no guard here. Consider either:

• Making it required and failing fast if missing, or
• Conditionally adding the param:

if (process.env.VERCEL_TEAM_ID) {
  url.searchParams.set("teamId", process.env.VERCEL_TEAM_ID);
}

[kilo-code-bot]

[WARNING]: Pagination loop has no upper bound

If the Vercel API returns the same pagination.next cursor repeatedly (due to a bug or API change), this while (nextUrl) loop will run indefinitely, causing the workflow to hang until the GitHub Actions timeout (6 hours by default).

Consider adding a max iteration guard:

const MAX_PAGES = 20;
let page = 0;
while (nextUrl && page++ < MAX_PAGES) {

[kilo-code-bot]

[SUGGESTION]: Silent fallback on unexpected API response shape

data.envs ?? data falls back to the entire response object if envs is missing. Combined with the Array.isArray check on the next line, this means an unexpected API response shape would silently produce zero env vars for that page — no error, no warning. This could mask a real problem (e.g., API version change).

Consider logging a warning when the response shape is unexpected:

const envs = data.envs;
if (!envs) {
  core.warning(`Unexpected Vercel API response shape for ${projectName} — missing 'envs' key`);
}
allEnvs.push(...(Array.isArray(envs) ? envs : []));

[kilo-code-bot]

Code Review Summary

Status: 3 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	2
SUGGESTION	1

Issue Details (click to expand)

WARNING

File	Line	Issue
.github/workflows/verify-vercel-env-vars.yml	67	Missing guard for VERCEL_TEAM_ID — if the secret is unset, teamId=undefined (literal string) is sent to the Vercel API
.github/workflows/verify-vercel-env-vars.yml	74	Pagination loop has no upper bound — could hang indefinitely if the API returns a repeated cursor

SUGGESTION

File	Line	Issue
.github/workflows/verify-vercel-env-vars.yml	85	Silent fallback on unexpected API response shape — data.envs ?? data could mask API changes with zero env vars and no warning

Files Reviewed (1 file)

• .github/workflows/verify-vercel-env-vars.yml - 3 issues

Fix these issues in Kilo Cloud