-
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.secrets.example
More file actions
266 lines (207 loc) · 9.22 KB
/
.secrets.example
File metadata and controls
266 lines (207 loc) · 9.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
# Secrets Template for OBS Polyemesis
# DO NOT commit actual secrets to git!
# Copy this file to `.secrets` and fill in your actual values
# The `.secrets` file is gitignored for security
# ============================================================================
# REQUIRED SECRETS (for CI/CD workflows)
# ============================================================================
# Snyk Security Scanning
# Get from: https://snyk.io/account
# Navigate to: Account Settings → General → Auth Token
SNYK_TOKEN=your_snyk_token_here
# SonarCloud Code Quality
# Get from: https://sonarcloud.io/account/security
# Generate a new token with analysis permissions
SONAR_TOKEN=your_sonarcloud_token_here
# GitHub Personal Access Token (for advanced GitHub API access)
# Get from: https://github.com/settings/tokens
# Required scopes: repo, workflow, read:packages
GITHUB_TOKEN=your_github_pat_here
# ============================================================================
# RECOMMENDED SECRETS (for additional services)
# ============================================================================
# Codecov.io (Code Coverage Visualization)
# Get from: https://about.codecov.io/
# Navigate to: Repository Settings → Upload Token
CODECOV_TOKEN=your_codecov_token_here
# DeepSource (Automated Code Review)
# Get from: https://deepsource.io/
# Navigate to: Repository Settings → Analyzers → DSN
DEEPSOURCE_DSN=your_deepsource_dsn_here
# GitGuardian (Secrets Detection)
# Get from: https://dashboard.gitguardian.com/
# Navigate to: API → Personal Access Tokens
GITGUARDIAN_API_KEY=your_gitguardian_api_key_here
# Coverity Scan (Static Analysis)
# Get from: https://scan.coverity.com/
# Navigate to: Project Settings → Project Token
COVERITY_SCAN_TOKEN=your_coverity_token_here
# FOSSA (License Compliance)
# Get from: https://app.fossa.com/
# Navigate to: Account Settings → Integrations → API
FOSSA_API_KEY=your_fossa_api_key_here
# ============================================================================
# DOCKER & CONTAINER REGISTRIES
# ============================================================================
# Docker Hub (for publishing container images)
# Get from: https://hub.docker.com/settings/security
DOCKER_USERNAME=your_docker_username
DOCKER_PASSWORD=your_docker_password_or_token
# GitHub Container Registry (ghcr.io)
# Uses GITHUB_TOKEN above, but you can create a dedicated one
# Get from: https://github.com/settings/tokens
GHCR_TOKEN=your_ghcr_token_here
# ============================================================================
# DEPLOYMENT & HOSTING
# ============================================================================
# AWS Credentials (if deploying to AWS)
AWS_ACCESS_KEY_ID=your_aws_access_key_id
AWS_SECRET_ACCESS_KEY=your_aws_secret_access_key
AWS_REGION=us-east-1
# Azure Credentials (if deploying to Azure)
AZURE_CLIENT_ID=your_azure_client_id
AZURE_CLIENT_SECRET=your_azure_client_secret
AZURE_TENANT_ID=your_azure_tenant_id
# Google Cloud (if deploying to GCP)
GCP_PROJECT_ID=your_gcp_project_id
GCP_SERVICE_ACCOUNT_KEY=your_gcp_service_account_json
# ============================================================================
# CODE SIGNING (for release builds)
# ============================================================================
# macOS Code Signing
# Get from: Apple Developer Account
# Export from Keychain Access as .p12 file, then base64 encode
MACOS_CERTIFICATE=base64_encoded_p12_certificate
MACOS_CERTIFICATE_PASSWORD=your_certificate_password
APPLE_DEVELOPER_ID=your_apple_developer_id
APPLE_TEAM_ID=your_apple_team_id
# Windows Code Signing
# Get from: Certificate Authority (DigiCert, Sectigo, etc.)
WINDOWS_CERTIFICATE=base64_encoded_pfx_certificate
WINDOWS_CERTIFICATE_PASSWORD=your_certificate_password
# ============================================================================
# NOTIFICATION SERVICES
# ============================================================================
# Slack (for build/release notifications)
# Get from: https://api.slack.com/apps
# Create app → OAuth & Permissions → Bot Token
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
SLACK_BOT_TOKEN=xoxb-your-slack-bot-token
# Discord (for community notifications)
# Get from: Server Settings → Integrations → Webhooks
DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/YOUR/WEBHOOK
# Telegram (for deployment alerts)
TELEGRAM_BOT_TOKEN=your_telegram_bot_token
TELEGRAM_CHAT_ID=your_telegram_chat_id
# ============================================================================
# ANALYTICS & MONITORING
# ============================================================================
# Sentry (Error Tracking)
# Get from: https://sentry.io/
# Navigate to: Settings → Projects → Client Keys (DSN)
SENTRY_DSN=your_sentry_dsn_here
SENTRY_AUTH_TOKEN=your_sentry_auth_token
# Google Analytics (Usage Tracking)
GA_TRACKING_ID=UA-XXXXX-Y
GA_MEASUREMENT_ID=G-XXXXXXXXXX
# Datadog (APM & Monitoring)
DATADOG_API_KEY=your_datadog_api_key
DATADOG_APP_KEY=your_datadog_app_key
# ============================================================================
# PACKAGE REPOSITORIES
# ============================================================================
# NPM (if publishing npm packages)
NPM_TOKEN=your_npm_token_here
# PyPI (if publishing Python packages)
PYPI_USERNAME=__token__
PYPI_PASSWORD=your_pypi_token_here
# Homebrew (for macOS distribution)
HOMEBREW_GITHUB_API_TOKEN=your_homebrew_token
# Chocolatey (for Windows distribution)
CHOCOLATEY_API_KEY=your_chocolatey_api_key
# ============================================================================
# DOCUMENTATION & WEBSITE
# ============================================================================
# ReadTheDocs
READTHEDOCS_TOKEN=your_readthedocs_token
# Netlify (for documentation hosting)
NETLIFY_AUTH_TOKEN=your_netlify_token
NETLIFY_SITE_ID=your_netlify_site_id
# Cloudflare (for CDN/DNS)
CLOUDFLARE_API_TOKEN=your_cloudflare_token
CLOUDFLARE_ZONE_ID=your_cloudflare_zone_id
# ============================================================================
# ADDITIONAL DEVELOPMENT SERVICES
# ============================================================================
# OpenAI (for AI-assisted code review/documentation)
OPENAI_API_KEY=sk-your-openai-api-key
# Linear (Issue Tracking)
LINEAR_API_KEY=your_linear_api_key
# Jira (Project Management)
JIRA_API_TOKEN=your_jira_api_token
JIRA_EMAIL=your_jira_email
JIRA_BASE_URL=https://yourcompany.atlassian.net
# ============================================================================
# DATABASE & INFRASTRUCTURE (if applicable)
# ============================================================================
# PostgreSQL
DATABASE_URL=postgresql://user:password@host:5432/dbname
# Redis
REDIS_URL=redis://user:password@host:6379
# MongoDB
MONGODB_URI=mongodb+srv://user:password@cluster.mongodb.net/dbname
# ============================================================================
# TESTING & QA SERVICES
# ============================================================================
# BrowserStack (Cross-browser Testing)
BROWSERSTACK_USERNAME=your_browserstack_username
BROWSERSTACK_ACCESS_KEY=your_browserstack_access_key
# Sauce Labs (Automated Testing)
SAUCE_USERNAME=your_sauce_username
SAUCE_ACCESS_KEY=your_sauce_access_key
# Percy (Visual Testing)
PERCY_TOKEN=your_percy_token
# ============================================================================
# NOTES & USAGE INSTRUCTIONS
# ============================================================================
# To use this file:
# 1. Copy this file to `.secrets` (cp .secrets.example .secrets)
# 2. Fill in your actual secret values
# 3. NEVER commit `.secrets` to git (it's already in .gitignore)
# 4. Source the file when needed: `source .secrets`
# 5. Or use with GitHub Actions by adding secrets to repository settings
# For GitHub Actions:
# 1. Go to: Repository Settings → Secrets and variables → Actions
# 2. Click "New repository secret"
# 3. Add each required secret (SNYK_TOKEN, SONAR_TOKEN, etc.)
# For local development:
# You can source this file in your shell:
# export $(cat .secrets | xargs)
# Or use direnv:
# echo "dotenv .secrets" > .envrc
# direnv allow
# Security Best Practices:
# - Rotate secrets regularly (every 90 days minimum)
# - Use different secrets for dev/staging/production
# - Never log or print secret values
# - Use secret management tools (Vault, AWS Secrets Manager, etc.) for production
# - Enable 2FA on all service accounts
# - Audit secret access regularly
# ============================================================================
# PRIORITY GUIDE
# ============================================================================
# REQUIRED NOW (for current CI/CD):
# - SNYK_TOKEN
# - SONAR_TOKEN
# HIGHLY RECOMMENDED:
# - GITHUB_TOKEN (for enhanced GitHub API access)
# - CODECOV_TOKEN (for code coverage visualization)
# - GITGUARDIAN_API_KEY (for secrets detection)
# NEEDED FOR RELEASES:
# - MACOS_CERTIFICATE (for signed macOS builds)
# - WINDOWS_CERTIFICATE (for signed Windows builds)
# - DOCKER_USERNAME & DOCKER_PASSWORD (for container publishing)
# OPTIONAL (add as needed):
# - Notification services (Slack, Discord, etc.)
# - Analytics (Sentry, Google Analytics, etc.)
# - Additional QA services (Coverity, DeepSource, etc.)