MQL5-Google-Onedrive/docs/Secrets_Management.md

# Secrets Management Guide

This guide explains how to manage sensitive information (API keys, tokens, etc.) in this repository.

## Local Secrets

### 1. `.env` File
You can use a `.env` file for local development and automation.
- **File**: `.env` (copy from `.env.example`)
- **Status**: Gitignored (never committed)
- **Usage**: Automatically loaded by many scripts or can be sourced in shell.

### 2. `config/vault.json`
A more structured way to store credentials, used by specific scripts like `scripts/load_vault.py`.
- **File**: `config/vault.json`
- **Status**: Gitignored (never committed)
- **Template**: See `config/vault.json.example`
- **Structure**:
```json
{
    "cloudflare": {
        "zone_id": "your_zone_id",
        "account_id": "your_account_id",
        "domain": "your_domain.com"
    },
    "telegram_bot": {
        "name": "t.me/your_bot_name",
        "token": "your_bot_token_here",
        "api": "your_bot_token_here",
        "allowed_user_ids": [123456789],
        "webhook_url": "https://core.telegram.org/bots/api"
    },
    "github": {
        "pat": "your_github_personal_access_token_here"
    }
}
```

## GitHub Secrets

GitHub Secrets are used for CI/CD workflows (GitHub Actions).

### Required Secrets
- `RCLONE_CONFIG_B64`: Required for OneDrive sync.
- `CLOUDFLARE_ZONE_ID`: Required for Cloudflare automation.
- `CLOUDFLARE_ACCOUNT_ID`: Required for Cloudflare automation.
- `DOMAIN_NAME`: Required for domain management.

### Optional Secrets
- `SCRSOR`: Firefox Relay API key.
- `COPILOT`: Firefox Relay API key.
- `TELEGRAM_BOT_TOKEN`: For Telegram notifications.

## Automation Tools

### Setting GitHub Secrets Automatically
If you have the [GitHub CLI (gh)](https://cli.github.com/) installed and authenticated, you can use the provided script to upload your local secrets to GitHub:

```bash
# Upload from vault.json (default)
bash scripts/set_github_secrets.sh vault

# Upload from .env
bash scripts/set_github_secrets.sh env
```

## Best Practices
1. **Never commit secrets**: Always verify that your secret files are listed in `.gitignore`.
2. **Use placeholders**: When adding new secrets, update `.env.example` with placeholders.
3. **Rotate regularly**: Change your API keys and tokens periodically.
4. **Minimal permissions**: Create API tokens with the minimum required scopes.
feat: add Cloudflare configuration and secret management tools - Create config/vault.json with Cloudflare credentials (gitignored) - Update .env.example with Cloudflare placeholders - Create scripts/set_github_secrets.sh to automate GitHub Secret management - Add docs/Secrets_Management.md for detailed credential handling - Update README.md with Cloudflare setup instructions 2026-01-21 15:17:38 +00:00			`# Secrets Management Guide`

			`This guide explains how to manage sensitive information (API keys, tokens, etc.) in this repository.`

			`## Local Secrets`

			### 1. `.env` File
			You can use a `.env` file for local development and automation.
			- File: `.env` (copy from `.env.example`)
			`- Status: Gitignored (never committed)`
			`- Usage: Automatically loaded by many scripts or can be sourced in shell.`

			### 2. `config/vault.json`
			A more structured way to store credentials, used by specific scripts like `scripts/load_vault.py`.
			- File: `config/vault.json`
			`- Status: Gitignored (never committed)`
Update Telegram bot defaults and webhook configuration Co-authored-by: Mouy-leng <199350297+Mouy-leng@users.noreply.github.com> 2026-02-08 04:12:44 +00:00			- Template: See `config/vault.json.example`
feat: add Cloudflare configuration and secret management tools - Create config/vault.json with Cloudflare credentials (gitignored) - Update .env.example with Cloudflare placeholders - Create scripts/set_github_secrets.sh to automate GitHub Secret management - Add docs/Secrets_Management.md for detailed credential handling - Update README.md with Cloudflare setup instructions 2026-01-21 15:17:38 +00:00			`- Structure:`
			```json
			`{`
			`"cloudflare": {`
			`"zone_id": "your_zone_id",`
			`"account_id": "your_account_id",`
			`"domain": "your_domain.com"`
			`},`
			`"telegram_bot": {`
Security fix: Replace real credentials with placeholders in docs and examples Co-authored-by: Mouy-leng <199350297+Mouy-leng@users.noreply.github.com> 2026-02-08 04:15:17 +00:00			`"name": "t.me/your_bot_name",`
			`"token": "your_bot_token_here",`
			`"api": "your_bot_token_here",`
Update Telegram bot defaults and webhook configuration Co-authored-by: Mouy-leng <199350297+Mouy-leng@users.noreply.github.com> 2026-02-08 04:12:44 +00:00			`"allowed_user_ids": [123456789],`
			`"webhook_url": "https://core.telegram.org/bots/api"`
			`},`
			`"github": {`
Security fix: Replace real credentials with placeholders in docs and examples Co-authored-by: Mouy-leng <199350297+Mouy-leng@users.noreply.github.com> 2026-02-08 04:15:17 +00:00			`"pat": "your_github_personal_access_token_here"`
feat: add Cloudflare configuration and secret management tools - Create config/vault.json with Cloudflare credentials (gitignored) - Update .env.example with Cloudflare placeholders - Create scripts/set_github_secrets.sh to automate GitHub Secret management - Add docs/Secrets_Management.md for detailed credential handling - Update README.md with Cloudflare setup instructions 2026-01-21 15:17:38 +00:00			`}`
			`}`
			```

			`## GitHub Secrets`

			`GitHub Secrets are used for CI/CD workflows (GitHub Actions).`

			`### Required Secrets`
			- `RCLONE_CONFIG_B64`: Required for OneDrive sync.
			- `CLOUDFLARE_ZONE_ID`: Required for Cloudflare automation.
			- `CLOUDFLARE_ACCOUNT_ID`: Required for Cloudflare automation.
			- `DOMAIN_NAME`: Required for domain management.

			`### Optional Secrets`
			- `SCRSOR`: Firefox Relay API key.
			- `COPILOT`: Firefox Relay API key.
			- `TELEGRAM_BOT_TOKEN`: For Telegram notifications.

			`## Automation Tools`

			`### Setting GitHub Secrets Automatically`
			`If you have the [GitHub CLI (gh)](https://cli.github.com/) installed and authenticated, you can use the provided script to upload your local secrets to GitHub:`

			```bash
			`# Upload from vault.json (default)`
			`bash scripts/set_github_secrets.sh vault`

			`# Upload from .env`
			`bash scripts/set_github_secrets.sh env`
			```

			`## Best Practices`
			1. Never commit secrets: Always verify that your secret files are listed in `.gitignore`.
			2. Use placeholders: When adding new secrets, update `.env.example` with placeholders.
			`3. Rotate regularly: Change your API keys and tokens periodically.`
			`4. Minimal permissions: Create API tokens with the minimum required scopes.`