Scope deploy workflow secrets#261

Merged

denuoweb merged 1 commit into

mainfrom

harden/deploy-secret-scope

May 26, 2026

Collaborator

denuoweb commented May 26, 2026

Summary

remove deploy credentials from job-level env so they are not present in unrelated step logs
validate required secret presence with boolean flags instead of exposing secret values
pass Firebase, Stripe, device-token, frontend, and bootstrap env only to the steps that require them

Verification

python3 YAML parse for .github/workflows/deploy.yml
actionlint .github/workflows/deploy.yml
nvm exec 24.15.0 pnpm lint
nvm exec 24.15.0 pnpm --filter crowdpm-functions test


          Scope deploy workflow secrets

d921ee4

denuoweb merged commit 30bf595 into main

8 checks passed

denuoweb deleted the harden/deploy-secret-scope branch

May 26, 2026 03:52

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet