GitHub Secrets & Environment (PREGO v4.0)
Ref: implementation plan §3.6 P1-6, §3.9, §9.4.
Required secrets (repository or environment)
| Secret | Where used | Notes |
|---|---|---|
| HCLOUD_TOKEN_SG / _US / _EU | Pulumi Up, provision-tenant | Per-region Hetzner token |
| CLOUDFLARE_API_TOKEN | Pulumi, provision-tenant (tenant-dns) | Zone and DNS records |
| CLOUDFLARE_ZONE_ID | provision-tenant tenant-dns step | pregoi.com Zone ID. Required for tenant DNS (approach C). |
| ZUPLO_ACCOUNT_NAME, ZUPLO_BUCKET_NAME, ZUPLO_API_KEY | provision-tenant zuplo-sync | Zuplo API Key registration |
| CONTROL_PLANE_API_KEY | provision-tenant callback | Control Plane /internal/* auth. Set same value as Worker INTERNAL_API_KEY (wrangler secret put). |
| PREGO_SSH_PRIVATE_KEY | provision-tenant ansible-provision | Full PEM for Ansible SSH to App/DB servers. Pairs with public key on Hetzner. |
| PREGO_DB_ROOT_PASSWORD | provision-tenant ansible-provision | MariaDB root password passed to bench new-site --db-root-password. |
For other CI/deploy tools, see their docs.
Environments
You can use per-region environments (e.g. production-sg, production-us, production-eu) with Required Reviewers.
Rotation (recommended)
- HCLOUD_TOKEN_*: 90 days
- CLOUDFLARE_API_TOKEN: 90 days
After rotation, run the affected workflow once to verify.
한국어 {#korean}
정책: Hetzner는 리전별로 다른 토큰을 사용할 수 있다 (HCLOUD_TOKEN_SG, HCLOUD_TOKEN_US, HCLOUD_TOKEN_EU). 과금·계정·규제 분리 목적. (Pulumi 제거 후 해당 워크플로는 미사용.)
필수 시크릿 표 및 사용처·비고는 위 영문 표 참조. Environments: 필요 시 production-sg, production-us, production-eu 등 리전별 Environment에 Required Reviewers 설정. Rotation: HCLOUD_TOKEN_* 90일, CLOUDFLARE_API_TOKEN 90일 권장. 로테이션 후 해당 워크플로 1회 수동 실행으로 검증.