PJH-146: Use SHOPIFY_CLI_PARTNERS_TOKEN for Shopify deploy

[kai-nguyen-aligent]

Summary

• Updates the Shopify deploy workflow to use SHOPIFY_CLI_PARTNERS_TOKEN instead of SHOPIFY_CLI_TOKEN as the environment variable for authentication
• Updates the secret description to clarify it is a partner authentication token

For more information around this change: https://shopify.dev/docs/apps/launch/deployment/deploy-in-ci-cd-pipeline#step-3-integrate-shopify-cli-into-your-pipeline

[TheOrangePuff]

Not sure about this one. What happens when the client moves off our partner account and into their own?

[kai-nguyen-aligent]

@TheOrangePuff After reading these documents, I'm not even sure if the client can move off our partner account or not.

• https://help.shopify.com/en/partners/manage-clients-stores/client-transfer-stores#client-transfer-stores
• https://shopify.dev/docs/apps/build/dev-dashboard/stores/client-transfer-stores

However, Claude tells me that:

Shopify CLI expects the token to be set as the environment variable SHOPIFY_CLI_PARTNERS_TOKEN.

Verify the reusable workflow (aligent/workflows/.github/workflows/shopify-deploy.yml) is exposing the token as the correct environment variable. The workflow should have something like:

env:
  SHOPIFY_CLI_PARTNERS_TOKEN: ${{ secrets.shopify_cli_token }}

If it's setting a different env var name (e.g., SHOPIFY_CLI_TOKEN), that won't work — it must be SHOPIFY_CLI_PARTNERS_TOKEN.

[TheOrangePuff]

Is there harm in having both? My concern is when a client moves off our account, they can't use our partner token anymore. If this workflow only supports partner tokens deploys will break