Secrets & Configuration

​

General Rules

• Store hosted deployment secrets in GitHub Actions secrets or variables.
• Store local web runtime configuration in apps/web/.env.local.
• Do not commit tokens, keys, passwords, or rendered env dumps.
• Do not edit checked-in compose files to inject per-environment secrets.

​

Local And Self-Hosted Web

​

GitHub Actions Secrets By Area

​

Vercel-hosted web apps

• VERCEL_TOKEN
• VERCEL_ORG_ID
• App-specific VERCEL_PROJECT_ID values such as VERCEL_PLATFORM_PROJECT_ID
• TURBO_TOKEN
• TURBO_TEAM

​

Production and preview app configuration

• PRODUCTION_SUPABASE_URL
• PRODUCTION_SUPABASE_PUBLISHABLE_KEY
• PRODUCTION_SUPABASE_SECRET_KEY
• ENCRYPTION_MASTER_KEY

​

Supabase migrations

• SUPABASE_ACCESS_TOKEN
• STAGING_DB_PASSWORD
• STAGING_PROJECT_ID
• STAGING_DB_URL
• PRODUCTION_DB_PASSWORD
• PRODUCTION_PROJECT_ID
• PRODUCTION_DB_URL

​

Modal deployment

• MODAL_TOKEN_ID
• MODAL_TOKEN_SECRET
• MODAL_ENVIRONMENT as a GitHub Actions variable

​

Package publishing

• NPM_TOKEN for npm publication
• GITHUB_TOKEN for GitHub Packages
• JSR publication uses workflow permissions with id-token: write

​

Docker-Specific Notes

• The Docker web helper auto-generates a stable local Redis token and injects UPSTASH_REDIS_REST_TOKEN, UPSTASH_REDIS_REST_URL, and the matching internal SRH_TOKEN value for the bundled serverless-redis-http container.
• SRH_TOKEN is the container’s internal environment variable. The user-facing override surface is UPSTASH_REDIS_REST_TOKEN if you intentionally replace the helper-generated value.
• docker compose config expands env values; treat its output as sensitive.

​

Change Management

1. Add its secret names here.
2. Add the workflow or runtime page to the relevant devops doc.
3. Keep the boundary clear between repo config, GitHub Actions config, and machine-local config.