Never commit secrets. Use platform secret stores:
| Platform | Store |
|---|---|
| Cloudflare Workers | wrangler secret put / pnpm secrets:sync |
| Cloudflare Pages | Project environment variables |
| Fly.io | fly secrets set |
Dashboard (Cloudflare Workers)
Section titled “Dashboard (Cloudflare Workers)”Worker name: soultales-partner. Full runbook: dashboard/DEPLOY.md in the monorepo.
Build-time vs runtime
Section titled “Build-time vs runtime”| Type | Examples | Where to set |
|---|---|---|
PUBLIC_* | PUBLIC_CLERK_PUBLISHABLE_KEY, PUBLIC_SITE_URL | GitHub Actions build secrets + local .env |
| Runtime | CLERK_SECRET_KEY, STRIPE_SECRET_KEY, DIRECTUS_TOKEN | Cloudflare Worker secrets only |
Sync runtime secrets from dashboard/secrets.json:
cd dashboardcp secrets.json.example secrets.json # first time onlypnpm secrets:syncGitHub Actions (deploy pipeline)
Section titled “GitHub Actions (deploy pipeline)”Set on the production environment:
CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID, PUBLIC_SITE_URL, PUBLIC_CLERK_PUBLISHABLE_KEY, PUBLIC_STRIPE_PUBLISHABLE_KEY, PUBLIC_CHATWOOT_WEBSITE_TOKEN
Directus shared secret
Section titled “Directus shared secret”DIRECTUS_OUTBOUND_SECRET must match on the Worker and Fly Directus (real-ireland-app), with FLOWS_ENV_ALLOW_LIST=DIRECTUS_OUTBOUND_SECRET on Directus.
Other packages
Section titled “Other packages”Frontend (Cloudflare Workers)
Section titled “Frontend (Cloudflare Workers)”Worker name: soultales-www. See frontend/DEPLOY.md.
DIRECTUS_URL, DIRECTUS_TOKEN, Better Auth secrets (AUTH_SECRET, BETTER_AUTH_URL), Turso connection (ASTRO_DB_REMOTE_URL / ASTRO_DB_APP_TOKEN or TURSO_DATABASE_URL / TURSO_AUTH_TOKEN), OAuth client IDs, Mailgun keys
Backend
Section titled “Backend”DB_PASSWORD, GCS credentials, Directus KEY/SECRET
Helpdesk
Section titled “Helpdesk”SECRET_KEY_BASE, Neon Postgres, Upstash Redis, R2 credentials: see helpdesk/.env.example
Local development
Section titled “Local development”Copy .env.example files where provided. Use .env locally; files are gitignored.