Secrets Reference
GitHub Environment Secrets
Each of the three GitHub Environments (staging, test, prod) holds these 6 secrets:
| Secret | Description | Where to Regenerate |
|---|---|---|
VITE_API_BASE_URL | API base URL for the environment | Change only if subdomain changes |
VITE_CF_ACCESS_CLIENT_ID | CF Access service token Client ID | Cloudflare → Zero Trust → Access → Service Auth → roll credentials |
VITE_CF_ACCESS_CLIENT_SECRET | CF Access service token Client Secret | Same as above — ID and Secret roll together |
CLOUDFLARE_API_TOKEN | CF API token with Pages write permission | Cloudflare → My Profile → API Tokens |
CLOUDFLARE_ACCOUNT_ID | Cloudflare account ID (a9e39304...) | Cloudflare Dashboard sidebar — does not change |
SLACK_WEBHOOK_URL | Slack Incoming Webhook URL | Slack → api.slack.com/apps → Incoming Webhooks |
How to Rotate a Secret
- Generate the new credential from the source system first
- Go to GitHub → Sema-Link/semalink-frontend → Settings → Environments → [environment]
- Find the secret and click Edit
- Paste the new value and save
- Trigger a new deployment — the next build will use the new secret automatically
Checklist
Completed ✅
- GitHub Environments created (
staging,test,prod) - All 6 secrets set in each environment (18 total)
- Cloudflare Pages projects created and custom domains attached
production_branch: mainset on all three app projects- Cloudflare Zero Trust enabled
- Service tokens created for all three environments
- Service token credentials stored in GitHub secrets
- Slack notifications working on success and failure
- All three environments live and deploying
Pending ⚠️
- Create Cloudflare Access Application policies for
arc,staging-arc, andtest-arcsubdomains in Cloudflare → Zero Trust → Access → Applications. Service tokens exist but are not yet enforced — the API is not actively protected until these policies are created. - Wire CF Access headers into the Axios client in
src/core/api/(see Zero Trust)