A6-9V/MQL5-Google-Onedrive
1
0
Fork 0
forked from LengKundee/MQL5-Google-Onedrive
Code Pull requests Activity
MQL5-Google-Onedrive/GITHUB_SECRETS_SETUP.md
copilot-swe-agent[bot] 77cb62d1d2 Add repository sync with L6-N9 and REST API integration 
Co-authored-by: Mouy-leng <199350297+Mouy-leng@users.noreply.github.com>
2026-02-17 10:58:11 +00:00

131 lines
4.4 KiB
Markdown
Raw Permalink Blame History

# GitHub Actions Secrets Setup
This document provides guidance on setting up GitHub Secrets for the repository's CI/CD workflows.
## Required Secrets
The following secrets should be configured in your GitHub repository settings:
### Telegram Bot Configuration
- **`TELEGRAM_BOT_TOKEN`** or **`TELEGRAM_BOT_API`**
- Value: `your_bot_token_here`
- Used by: Telegram bot deployment scripts
- Reference: https://core.telegram.org/bots/api
- **`TELEGRAM_ALLOWED_USER_IDS`** (Optional)
- Value: Comma-separated list of Telegram user IDs authorized to use the bot
- Example: `123456789,987654321`
- Used by: Telegram bot for access control
### GitHub Automation
- **`GITHUB_PAT`** (Optional)
- Value: `your_github_personal_access_token_here`
- Used by: Scripts that need enhanced GitHub API access
- Scopes required: `repo`, `workflow`, `write:packages`
### Existing Secrets (Already Configured)
- **`RCLONE_CONFIG_B64`** - For OneDrive sync
- **`CLOUDFLARE_ZONE_ID`** - Cloudflare zone ID
- **`CLOUDFLARE_ACCOUNT_ID`** - Cloudflare account ID
- **`DOMAIN_NAME`** - Your domain name
- **`SCRSOR`** - Firefox Relay API key
- **`COPILOT`** - Firefox Relay API key
- **`SLACK_WEBHOOK`** (Optional) - For Slack notifications
### Repository Sync Configuration (New)
- **`REPO_SYNC_TOKEN`** (Required for L6-N9 sync)
- Value: GitHub Personal Access Token with `repo` scope
- Used by: Repository sync workflow to access L6-N9 repository
- Generate at: GitHub Settings → Developer settings → Personal access tokens
- **`L6_N9_REPO`** (Optional)
- Value: Target repository name (default: `A6-9V/L6-N9`)
- Format: `owner/repository`
- **`L6_N9_SYNC_BRANCH`** (Optional)
- Value: Target branch name (default: `main`)
- **`REST_API_KEY`** (Optional)
- Value: Your REST API authentication key
- Used by: REST API notifications during sync
- **`REST_API_URL`** (Optional)
- Value: Your REST API endpoint URL
- Example: `https://api.example.com/sync`
- Used by: Sending sync status notifications
📖 **See [Repository Sync Setup Guide](REPO_SYNC_SETUP.md) for detailed configuration instructions.**
## Setting Secrets via GitHub CLI
If you have the GitHub CLI installed, you can set secrets using:
```bash
# Set Telegram bot token
gh secret set TELEGRAM_BOT_TOKEN --body "your_bot_token_here"
# Set GitHub PAT
gh secret set GITHUB_PAT --body "your_github_personal_access_token_here"
# Set allowed users (replace with your actual Telegram user ID)
gh secret set TELEGRAM_ALLOWED_USER_IDS --body "your_telegram_user_id"
# Set Repository Sync secrets
gh secret set REPO_SYNC_TOKEN --body "ghp_your_token_here"
gh secret set L6_N9_REPO --body "A6-9V/L6-N9"
gh secret set L6_N9_SYNC_BRANCH --body "main"
# Set REST API secrets (optional)
gh secret set REST_API_KEY --body "your_api_key_here"
gh secret set REST_API_URL --body "https://api.example.com/sync"
```
## Setting Secrets via GitHub Web UI
1. Go to your repository on GitHub
2. Click **Settings****Secrets and variables****Actions**
3. Click **New repository secret**
4. Add each secret with its name and value
## Using the Automated Script
You can also use the provided script to sync from your local vault:
```bash
# Make sure config/vault.json is properly configured
bash scripts/set_github_secrets.sh vault
```
This will read from `config/vault.json` and set the appropriate GitHub secrets.
## Verification
After setting secrets, you can verify they're available in your workflows:
1. Go to **Actions** tab in your repository
2. Run a workflow that uses these secrets
3. Check the workflow logs to ensure secrets are being loaded (values will be masked)
## Security Notes
- **Never log or print secret values in workflows**
- GitHub automatically masks secret values in logs
- Rotate secrets regularly for security
- Use the minimum required scopes for tokens
- Store the actual values in a secure password manager
> If a real token was ever committed to git, treat it as compromised:
> rotate/revoke it immediately (BotFather for Telegram, GitHub settings for PATs).
## Troubleshooting
If secrets aren't working:
1. **Check secret names** - They're case-sensitive
2. **Verify workflow permissions** - Some secrets require specific permissions
3. **Check repository visibility** - Public repos have different secret handling
4. **Review workflow syntax** - Ensure you're accessing secrets correctly: `${{ secrets.SECRET_NAME }}`
View git blame Copy permalink