A6-9V/MQL5-Google-Onedrive
1
0
Fork 0
forked from LengKundee/MQL5-Google-Onedrive
Code Pull requests Activity
MQL5-Google-Onedrive/GITHUB_SECRETS_SETUP.md
Cursor Agent f3ea60475b Security: remove leaked tokens and add secret scan 
Co-authored-by: GenX FX Trading System <Mouy-leng@users.noreply.github.com>
2026-02-10 04:38:19 +00:00

3.1 KiB
Raw Permalink Blame History

GitHub Actions Secrets Setup

This document provides guidance on setting up GitHub Secrets for the repository's CI/CD workflows.

Required Secrets

The following secrets should be configured in your GitHub repository settings:

Telegram Bot Configuration

  • TELEGRAM_BOT_TOKEN or TELEGRAM_BOT_API

  • TELEGRAM_ALLOWED_USER_IDS (Optional)

    • Value: Comma-separated list of Telegram user IDs authorized to use the bot
    • Example: 123456789,987654321
    • Used by: Telegram bot for access control

GitHub Automation

  • GITHUB_PAT (Optional)
    • Value: your_github_personal_access_token_here
    • Used by: Scripts that need enhanced GitHub API access
    • Scopes required: repo, workflow, write:packages

Existing Secrets (Already Configured)

  • RCLONE_CONFIG_B64 - For OneDrive sync
  • CLOUDFLARE_ZONE_ID - Cloudflare zone ID
  • CLOUDFLARE_ACCOUNT_ID - Cloudflare account ID
  • DOMAIN_NAME - Your domain name
  • SCRSOR - Firefox Relay API key
  • COPILOT - Firefox Relay API key
  • SLACK_WEBHOOK (Optional) - For Slack notifications

Setting Secrets via GitHub CLI

If you have the GitHub CLI installed, you can set secrets using:

# Set Telegram bot token
gh secret set TELEGRAM_BOT_TOKEN --body "your_bot_token_here"

# Set GitHub PAT
gh secret set GITHUB_PAT --body "your_github_personal_access_token_here"

# Set allowed users (replace with your actual Telegram user ID)
gh secret set TELEGRAM_ALLOWED_USER_IDS --body "your_telegram_user_id"

Setting Secrets via GitHub Web UI

  1. Go to your repository on GitHub
  2. Click SettingsSecrets and variablesActions
  3. Click New repository secret
  4. Add each secret with its name and value

Using the Automated Script

You can also use the provided script to sync from your local vault:

# Make sure config/vault.json is properly configured
bash scripts/set_github_secrets.sh vault

This will read from config/vault.json and set the appropriate GitHub secrets.

Verification

After setting secrets, you can verify they're available in your workflows:

  1. Go to Actions tab in your repository
  2. Run a workflow that uses these secrets
  3. Check the workflow logs to ensure secrets are being loaded (values will be masked)

Security Notes

  • Never log or print secret values in workflows
  • GitHub automatically masks secret values in logs
  • Rotate secrets regularly for security
  • Use the minimum required scopes for tokens
  • Store the actual values in a secure password manager

If a real token was ever committed to git, treat it as compromised: rotate/revoke it immediately (BotFather for Telegram, GitHub settings for PATs).

Troubleshooting

If secrets aren't working:

  1. Check secret names - They're case-sensitive
  2. Verify workflow permissions - Some secrets require specific permissions
  3. Check repository visibility - Public repos have different secret handling
  4. Review workflow syntax - Ensure you're accessing secrets correctly: ${{ secrets.SECRET_NAME }}