GitHub Repository Secrets

This page documents the required GitHub repository secrets used by CI/CD workflows, deployment automation, integration testing, and infrastructure management.

info

These secrets are configured in GitHub repository settings under:

Settings → Secrets and variables → Actions

warning

Never commit secret values directly into the repository. All credentials, tokens, and environment configuration should be stored as encrypted GitHub Actions secrets.

Backend Server Repository Secrets

The backend server repository requires the following GitHub Actions secrets.

CREDS_JSON

Google Cloud user credentials JSON used for authenticated gcloud operations.

This JSON should contain:

• client_id
• client_secret
• refresh_token
• quota_project_id
• type

Example structure:

{
  "client_id": "...",
  "client_secret": "...",
  "refresh_token": "...",
  "quota_project_id": "...",
  "type": "authorized_user"
}

caution

This is a user credential and should be treated as highly sensitive.

---

DEPLOY_TARGETS

JSON object containing deployment metadata for backend VM instances.

This secret is used by deployment workflows to determine target VM names and zones.

Example format:

{
  "staging": {
    "vm_name": "staging-server",
    "zone": "us-central1-a"
  },
  "production": {
    "vm_name": "production-server",
    "zone": "us-central1-f"
  }
}

Each key represents a deployment environment or collaborator target.

---

DOCKERHUB_ACCESS_TOKEN

Docker Hub personal access token used for authentication during Docker image pushes and pulls.

This token should have permissions appropriate for the repository workflows.

---

DOCKERHUB_USERNAME

Docker Hub username associated with the access token.

Used alongside DOCKERHUB_ACCESS_TOKEN for container registry authentication.

---

PROJECT_ID

Google Cloud project ID used by deployment and infrastructure workflows.

Example:

tidy-outlet-412020

---

REFRESH_TOKEN

Google OAuth refresh token used for automated integration or backend tests.

This token should belong to a valid user account with appropriate permissions for the test environment.

warning

If this token expires or is revoked, automated tests may fail until the secret is updated.

---

SERVICE_KEY_JSON

Google Cloud service account credentials JSON used by backend automation and deployment workflows.

Typical permissions may include:

• Compute Engine access
• DNS management
• Artifact Registry access
• Cloud Storage access

Example structure:

{
  "type": "service_account",
  "project_id": "...",
  "private_key_id": "...",
  "private_key": "...",
  "client_email": "..."
}

caution

Service account keys provide direct API access and should be rotated periodically according to organizational security policies.

---

SSH_USERNAME

SSH username with access to target Google Cloud VM instances.

Used during deployment workflows and remote command execution.

Example:

deploy-user

---

STAGING_ENV

Environment configuration used for staging integration tests.

This secret contains the contents of the staging .env file.

Typical values may include:

• API endpoints
• Database configuration
• Authentication configuration
• Feature flags
• External service credentials

Example format:

NODE_ENV=staging
API_URL=https://staging.example.com
MONGO_URI=...
JWT_SECRET=...

warning

Do not log or print the contents of this secret during workflow execution.

Frontend Repository Secrets

The frontend repository requires the following GitHub Actions secrets.

DEV_BACKEND_URL

Backend URL for the staging or development backend environment.

Example:

https://staging-server.uow-carbon.org

Used by frontend deployment workflows, automated testing, and environment configuration.

---

GCLOUD_SERVICE_ACCOUNT_JSON

Google Cloud service account credentials JSON used for frontend deployment workflows and authenticated Google Cloud operations.

Example structure:

{
  "type": "service_account",
  "project_id": "...",
  "private_key_id": "...",
  "private_key": "...",
  "client_email": "..."
}

caution

This credential provides direct access to Google Cloud APIs and should be treated as highly sensitive.

---

GOOGLE_CLIENT_SECRET

Google OAuth client secret used for authentication workflows.

Typically paired with GOOGLE_CLIENTID and GOOGLE_REFRESH_TOKEN.

---

GOOGLE_CLIENTID

Google OAuth client ID used for authentication and API access.

Example:

<>.apps.googleusercontent.com

---

GOOGLE_REFRESH_TOKEN

Google OAuth refresh token used by automated workflows requiring authenticated Google API access.

warning

If this token expires or is revoked, workflows depending on Google authentication may fail until the secret is updated.

---

ISGS_BACKEND_URL

Backend URL for the ISGS deployment environment.

---

NEWTS_BACKEND_URL

Backend URL for the NEWTS deployment environment.

---

OSAGE_BACKEND_URL

Backend URL for the OSAGE deployment environment.

info

These environment-specific backend URLs allow frontend deployments and tests to target the correct collaborator backend instance.

Updating Secrets

To update a GitHub Actions secret:

1. Open the target repository on GitHub
2. Navigate to Settings
3. Select Secrets and variables
4. Select Actions
5. Choose the secret to update or create a new secret
6. Save the updated value

Best Practices

• Rotate credentials periodically
• Use least-privilege access wherever possible
• Prefer service accounts over personal credentials for automation
• Avoid duplicating secrets across repositories unless necessary
• Audit repository access regularly
• Review GitHub Actions logs to ensure secrets are not accidentally exposed

See Also

• GitHub Actions Secrets Documentation
• Deploy Backend VM with Terraform