Remove secrets from code, inject via GitHub Actions

ILindsley · claude · ILindsley · commit 3b2d8006cb5f · 2026-02-05T02:20:53.000Z
Secrets are now stored in GitHub Actions secrets and injected
at deploy time - never committed to repo.

Required GitHub secrets:
- AUTH_SECRET (generate with: openssl rand -base64 32)
- ENGINE_API_KEY (get new key - old one was rotated)
- GOOGLE_CLIENT_ID (for Google OAuth)
- GOOGLE_CLIENT_SECRET (for Google OAuth)

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/deploy-cloudflare.yml b/.github/workflows/deploy-cloudflare.yml
@@ -21,6 +21,28 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Inject secrets into wrangler config
+        run: |
+          node -e "
+            const fs = require('fs');
+            let content = fs.readFileSync('wrangler.jsonc', 'utf8');
+            // Remove comments for JSON parsing
+            const config = JSON.parse(content.replace(/\/\/.*$/gm, '').replace(/,(\s*[}\]])/g, '\$1'));
+            config.vars = {
+              ...config.vars,
+              AUTH_SECRET: process.env.AUTH_SECRET,
+              ENGINE_API_KEY: process.env.ENGINE_API_KEY,
+              GOOGLE_CLIENT_ID: process.env.GOOGLE_CLIENT_ID || '',
+              GOOGLE_CLIENT_SECRET: process.env.GOOGLE_CLIENT_SECRET || ''
+            };
+            fs.writeFileSync('wrangler.jsonc', JSON.stringify(config, null, 2));
+          "
+        env:
+          AUTH_SECRET: ${{ secrets.AUTH_SECRET }}
+          ENGINE_API_KEY: ${{ secrets.ENGINE_API_KEY }}
+          GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
+          GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
+
       - name: Build for Cloudflare
         run: npx opennextjs-cloudflare build
 
diff --git a/wrangler.jsonc b/wrangler.jsonc
@@ -10,10 +10,13 @@
   },
   "vars": {
     "AUTH_TRUST_HOST": "true",
-    "AUTH_SECRET": "***REDACTED_AUTH_SECRET***",
     "ENGINE_BASE_URL": "https://api.btservant.ai",
-    "ENGINE_API_KEY": "***REDACTED_ENGINE_API_KEY***",
     "CLIENT_ID": "web",
     "DEFAULT_ORG": "unfoldingWord"
   }
+  // Secrets injected at deploy time via GitHub Actions:
+  // - AUTH_SECRET
+  // - ENGINE_API_KEY
+  // - GOOGLE_CLIENT_ID
+  // - GOOGLE_CLIENT_SECRET
 }
