-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env-example
More file actions
159 lines (109 loc) · 4.45 KB
/
.env-example
File metadata and controls
159 lines (109 loc) · 4.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# release-kit .env template
# -------------------------
# Copy to `.env` (which is gitignored) and fill in for local dev.
# For CI, set the same variables as repository / environment secrets.
#
# Every value below is a PLACEHOLDER. Real tokens never live in
# this file. In production, prefer OIDC trusted publishing (no
# token at all). See docs/playbook/cross-cutting/oidc-matrix.md.
# === PyPI ===
# OIDC-preferred. Token only for local dev / first-bootstrap upload.
# Scope: per-project (entire-account only for first publish).
PYPI_TOKEN=pypi-YOUR-TOKEN-HERE
# === npm (registry.npmjs.org) ===
# Use an Automation Token for CI (bypasses 2FA).
# Scope: Read + Write on the specific package.
NPM_TOKEN=npm_YOUR-TOKEN-HERE
# === npm via GitHub Packages ===
# Uses your GitHub token; see GITHUB_TOKEN below.
# Scope: packages:read + packages:write.
# === npm via GitLab Package Registry ===
# Use CI_JOB_TOKEN in pipelines; deploy token for external CI.
# Scope: write_package_registry.
GITLAB_NPM_TOKEN=glpat-YOUR-TOKEN-HERE
# === Docker Hub ===
# Access token, per-namespace, Read+Write+Delete.
DOCKERHUB_USERNAME=my-dockerhub-user
DOCKERHUB_TOKEN=dckr_pat_YOUR-TOKEN-HERE
# === GHCR (GitHub Container Registry) ===
# Use workflow GITHUB_TOKEN in CI; PAT for local dev only.
# Scope: packages:write (and contents:read for the source).
# Falls through to GITHUB_TOKEN if unset.
# GHCR_TOKEN=ghp_YOUR-TOKEN-HERE
# === GitLab Container Registry ===
# CI_JOB_TOKEN in pipelines; deploy token externally.
# Scope: write_registry.
GITLAB_REGISTRY_TOKEN=glpat-YOUR-TOKEN-HERE
# === AWS ECR ===
# Prefer OIDC via aws-actions/configure-aws-credentials.
# IAM access keys only when OIDC isn't available.
AWS_ACCESS_KEY_ID=AKIA-YOUR-KEY-HERE
AWS_SECRET_ACCESS_KEY=YOUR-SECRET-HERE
AWS_REGION=us-east-1
# === Google Artifact Registry ===
# Prefer Workload Identity Federation. JSON key as fallback.
# GOOGLE_APPLICATION_CREDENTIALS points at a downloaded key file
# (NEVER paste the key contents inline here).
GOOGLE_APPLICATION_CREDENTIALS=/absolute/path/to/sa-key.json
# === Azure Container Registry ===
# Prefer OIDC federation via azure/login@v2. SP secret as fallback.
AZURE_CLIENT_ID=YOUR-APP-ID
AZURE_TENANT_ID=YOUR-TENANT-ID
AZURE_SUBSCRIPTION_ID=YOUR-SUB-ID
AZURE_CLIENT_SECRET=YOUR-SP-SECRET-HERE
# === Homebrew tap ===
# PAT scoped to the tap repo for cross-repo PR.
# Scope: Contents: Read & write, Pull requests: Read & write.
TAP_GITHUB_TOKEN=ghp_YOUR-TOKEN-HERE
# === Maven Central ===
# Central Portal API token (new path).
CENTRAL_TOKEN_USER=YOUR-PORTAL-USER
CENTRAL_TOKEN_VALUE=YOUR-PORTAL-TOKEN
# GPG signing (required by Central; not by release-kit itself).
GPG_PRIVATE_KEY="-----BEGIN PGP PRIVATE KEY BLOCK-----..."
GPG_PASSPHRASE=YOUR-PASSPHRASE
# === RubyGems ===
# Prefer OIDC trusted publisher (since 2024).
# Token only for legacy / non-GH-Actions paths.
RUBYGEMS_API_KEY=rubygems_YOUR-KEY-HERE
# === crates.io ===
# Scope: publish-new + publish-update for first release; narrower for updates.
CARGO_REGISTRY_TOKEN=crates-io-YOUR-TOKEN-HERE
# === NuGet ===
# Glob-scoped API key (e.g., "MyOrg.*").
NUGET_API_KEY=nuget-YOUR-KEY-HERE
# === Packagist ===
PACKAGIST_USER=my-packagist-user
PACKAGIST_TOKEN=packagist-YOUR-TOKEN-HERE
# === GitHub.com ===
# In CI, the workflow GITHUB_TOKEN is auto-injected; don't set this.
# Locally: fine-grained PAT scoped to the repo with required perms.
GITHUB_TOKEN=ghp_YOUR-TOKEN-HERE
# === GitHub Enterprise (Cloud / Server) ===
# Override the API host for non-github.com:
# GH_HOST=github.example.com
# Same GITHUB_TOKEN env var (or the SSO-authorised PAT).
# === GitLab.com ===
# Project / group access token preferred over PAT.
# Scope: api (or narrower set).
GITLAB_TOKEN=glpat-YOUR-TOKEN-HERE
# === GitLab Self-Managed ===
# GL_HOST=gitlab.example.com
# Same GITLAB_TOKEN env var.
# === Bitbucket Cloud ===
BITBUCKET_USERNAME=my-bitbucket-user
BITBUCKET_APP_PASSWORD=ATBB-YOUR-PASSWORD-HERE
# === Bitbucket Data Center ===
# BITBUCKET_DC_HOST=bitbucket.example.com
# HTTP Access Token preferred.
BITBUCKET_DC_TOKEN=YOUR-HTTP-TOKEN-HERE
# === Gitea / Forgejo ===
# GITEA_HOST=gitea.example.com (or codeberg.org for Forgejo SaaS)
GITEA_TOKEN=YOUR-TOKEN-HERE
# === Azure DevOps ===
AZURE_DEVOPS_ORG=https://dev.azure.com/my-org
AZURE_DEVOPS_PAT=YOUR-PAT-HERE
# === release-kit operational ===
# Set this to "1" to allow falling back from OIDC to a long-lived
# token without --allow-token-auth on the CLI. Default is "0".
RELEASE_KIT_ALLOW_TOKEN_AUTH=0