We had this exact problem last month. The root cause was the pipeline environment variable mapping not aligning with CAPA’s expected variable format. Here’s what fixed it for us:
First, you need to understand that CAPA deployment scripts in qual-2022.2 expect variables in a specific namespace format. Your secrets manager integration needs to map GitHub secrets to the CAPA-expected format through an intermediate configuration step.
Add this validation and mapping step before your deployment:
- name: Prepare CAPA Config
run: |
echo "CAPA_DB_CONNECTION=${DB_HOST}" >> $GITHUB_ENV
echo "CAPA_API_ENDPOINT=${API_KEY}" >> $GITHUB_ENV
The key issue is that CAPA looks for CAPA_* prefixed variables, not the raw secret names. Your CI/CD config syntax needs to include this mapping layer.
Second, verify your deployment manifest includes these variables in the allowlist:
{
"allowedEnvVars": [
"CAPA_DB_CONNECTION",
"CAPA_API_ENDPOINT"
]
}
Third, ensure your secrets manager integration in GitHub Actions has the proper permissions scope. CAPA deployment requires repo and workflow scopes to access organization-level secrets.
The pipeline environment variable mapping is critical because CAPA validates every variable against its security schema before allowing deployment to proceed. This prevents unauthorized configuration changes from bypassing audit trails.
For secrets manager integration, use GitHub’s environment protection rules to require approval before variables are exposed to the deployment job. This creates the audit trail that CAPA compliance requires.
Finally, update your CI/CD config syntax to include the CAPA-specific deployment hooks:
jobs:
deploy-capa:
environment: production
steps:
- name: Validate CAPA Environment
run: node scripts/validate-capa-env.js
- name: Deploy CAPA Module
run: npm run deploy:capa
The validation script should verify all three focus areas: proper variable mapping, secrets manager connectivity, and config syntax compliance. This approach has worked reliably for us across multiple CAPA deployments to qual-2022.2 and qual-2023.1.