Secrets Management
Overview
Secrets are stored in three places depending on their use:
| Location | Purpose | Access |
|---|---|---|
| GitHub Secrets | CI/CD workflows | GitHub Actions only |
| Wrangler Secrets | Worker runtime | wrangler secret put |
.dev.vars / .env | Local development | Gitignored files |
GitHub Secrets
Used in GitHub Actions workflows:
| Secret | Used By | Purpose |
|---|---|---|
CLOUDFLARE_API_TOKEN | deploy.yml | Pages deploy + cache purge |
CLOUDFLARE_API_KEY | deploy-chat-worker.yml | Worker deploy |
CLOUDFLARE_EMAIL | deploy-chat-worker.yml | Worker deploy auth |
CLOUDFLARE_ACCOUNT_ID | deploy.yml, deploy-chat-worker.yml | Account identifier |
CLOUDFLARE_ZONE_ID | deploy.yml | Cache purge zone |
NEXT_PUBLIC_POSTHOG_KEY | deploy.yml | PostHog project token |
NEXT_PUBLIC_POSTHOG_HOST | deploy.yml | PostHog ingest URL |
SLACK_HOMELAB_TOKEN | notify.yml | Slack notifications |
Wrangler Secrets
Set via wrangler secret put <NAME> for the chat worker runtime:
| Secret | Purpose |
|---|---|
SLACK_BOT_TOKEN | Slack Bot OAuth token for posting messages |
SLACK_SIGNING_SECRET | Verify Slack webhook signatures |
SLACK_CHANNEL_ID | Slack channel for chat threads |
TURNSTILE_SECRET_KEY | Cloudflare Turnstile verification |
GEMINI_API_KEY | Google Gemini API access |
RATE_LIMIT_BYPASS_TOKEN | Owner/E2E bypass for rate limiting |
Setting Secrets
bash
cd chat-worker
wrangler secret put GEMINI_API_KEY
# Enter value when prompted
wrangler secret put SLACK_BOT_TOKEN
wrangler secret put SLACK_SIGNING_SECRET
wrangler secret put SLACK_CHANNEL_ID
wrangler secret put TURNSTILE_SECRET_KEY
wrangler secret put RATE_LIMIT_BYPASS_TOKENLocal Development Files
.env (Site)
bash
NEXT_PUBLIC_SITE_URL=https://anshulbisen.com
NEXT_PUBLIC_POSTHOG_KEY=<posthog-token>
NEXT_PUBLIC_POSTHOG_HOST=https://ph.anshulbisen.com
NEXT_PUBLIC_CHAT_WORKER_URL=http://localhost:8787chat-worker/.dev.vars (Worker)
bash
GEMINI_API_KEY=<key>
RATE_LIMIT_BYPASS_TOKEN=<token>
SLACK_BOT_TOKEN=<token>
SLACK_SIGNING_SECRET=<secret>
SLACK_CHANNEL_ID=<channel-id>
TURNSTILE_SECRET_KEY=<key>Both files are gitignored.
Rotation Procedures
- Cloudflare API tokens: Regenerate in Cloudflare dashboard → update GitHub Secrets
- Slack tokens: Regenerate in Slack app settings →
wrangler secret put+ update GitHub Secrets - Gemini API key: Regenerate in Google AI Studio →
wrangler secret put - Turnstile keys: Regenerate in Cloudflare Turnstile dashboard →
wrangler secret put - PostHog key: Regenerate in PostHog project settings → update GitHub Secrets