GITHUB_WEBHOOK_SECRET is now duplicated across dashboard.env and preview.env in server-setup.sh. These are separate services that need the same secret — the dashboard to register webhooks on GitHub, and the preview-webhook service to verify delivery signatures.
Currently there's no single source of truth for shared secrets between services. We could extract common variables into a /var/secrets/shared.env loaded by both systemd units. Worth discussing whether we want to address this now or leave it as-is.
GITHUB_WEBHOOK_SECRET is now duplicated across dashboard.env and preview.env in server-setup.sh. These are separate services that need the same secret — the dashboard to register webhooks on GitHub, and the preview-webhook service to verify delivery signatures.
Currently there's no single source of truth for shared secrets between services. We could extract common variables into a /var/secrets/shared.env loaded by both systemd units. Worth discussing whether we want to address this now or leave it as-is.