security: Remove secrets from repo and migrate to GitHub Secrets

Remove all .env files containing database credentials, SMTP passwords,
Sentry DSN, and other secrets. The CI workflow now generates .env at
build time from GitHub repository secrets instead of copying committed
files. Also redacts infrastructure details from the deployment guide
and replaces hardcoded test DB passwords with configurable defaults.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: bpamiri

.github/workflows/swarm-deploy.yml

@@ -18,9 +18,63 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Copy swarm config files to root
+      - name: Generate .env from secrets
+        env:
+          RELOAD_PASSWORD: ${{ secrets.RELOAD_PASSWORD }}
+          CFCONFIG_ADMIN_PASSWORD: ${{ secrets.CFCONFIG_ADMIN_PASSWORD }}
+          WHEELSDEV_HOST: ${{ secrets.WHEELSDEV_HOST }}
+          WHEELSDEV_PORT: ${{ secrets.WHEELSDEV_PORT }}
+          WHEELSDEV_DATABASENAME: ${{ secrets.WHEELSDEV_DATABASENAME }}
+          WHEELSDEV_USERNAME: ${{ secrets.WHEELSDEV_USERNAME }}
+          WHEELSDEV_PASSWORD: ${{ secrets.WHEELSDEV_PASSWORD }}
+          SMTP_USERNAME: ${{ secrets.SMTP_USERNAME }}
+          SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
+          WHEELS_ID_SALT: ${{ secrets.WHEELS_ID_SALT }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+        run: |
+          cat > .env << ENVEOF
+          LUCEE_EXTENSIONS=BEC20D47-3268-1B354-C0E8E70B5CBC15A1;name=PostgreSQL;version=42.7.4
+
+          environment=production
+          reloadPassword=${RELOAD_PASSWORD}
+
+          cfconfig_adminPassword=${CFCONFIG_ADMIN_PASSWORD}
+
+          application_host=https://wheels.dev
+          datasource=wheels.dev
+
+          wheelsdev_host=${WHEELSDEV_HOST}
+          wheelsdev_port=${WHEELSDEV_PORT}
+          wheelsdev_databasename=${WHEELSDEV_DATABASENAME}
+          wheelsdev_username=${WHEELSDEV_USERNAME}
+          wheelsdev_password=${WHEELSDEV_PASSWORD}
+          wheelsdev_clob=true
+          wheelsdev_connectionlimit=100
+          wheelsdev_storage=true
+
+          wheelsdev_storage=true
+          sessionStorage=wheels.dev
+          sessionCluster=true
+
+          test_case=false
+          mail_from=noreply@wheels.dev
+
+          smtp_host=smtp.postmarkapp.com
+          smtp_port=587
+          smtp_username=${SMTP_USERNAME}
+          smtp_password=${SMTP_PASSWORD}
+          smtp_ssl=false
+          smtp_tls=true
+
+          wheels_id_salt=${WHEELS_ID_SALT}
+
+          SENTRY_DSN=${SENTRY_DSN}
+          SENTRY_ENVIRONMENT=production
+          ENVEOF
+          sed -i 's/^          //' .env
+
+      - name: Copy swarm Dockerfile to root
         run: |
-          cp ./deploy/swarm/.env ./
           cp ./deploy/swarm/dockerfile ./
 
       - name: Install CommandBox

.gitignore

@@ -31,6 +31,10 @@ settings.xml
 !public/files/
 !/public/files/json/
 !/public/files/json/**
-/.env
+# Environment files (may contain secrets)
+.env
+.env.*
+!.env.example
+
 /server.json
 public/images/Headshot.jpg

deploy/dev/.env

@@ -1,18 +1,18 @@
 LUCEE_EXTENSIONS=BEC20D47-3268-1B354-C0E8E70B5CBC15A1;name=PostgreSQL;version=42.7.4
 
 environment=development
-reloadPassword=w4u6r7daKHAYMDLZXDgUcwn99RReNium
+reloadPassword=CHANGE_ME
 
-cfconfig_adminPassword=commandbox
+cfconfig_adminPassword=CHANGE_ME
 
 application_host=https://wheels.dev
 datasource=wheels.dev
 
-wheelsdev_host=10.100.10.230
+wheelsdev_host=CHANGE_ME
 wheelsdev_port=26257
 wheelsdev_databasename=wheels_db
-wheelsdev_username=wheels_user
-wheelsdev_password=x5N6kR62ArF58zetwMSZ
+wheelsdev_username=CHANGE_ME
+wheelsdev_password=CHANGE_ME
 wheelsdev_clob=true
 wheelsdev_connectionlimit=100
 wheelsdev_storage=true
@@ -26,15 +26,15 @@ mail_from=noreply@wheels.dev
 
 smtp_host=smtp.postmarkapp.com
 smtp_port=587
-smtp_username=PM-T-outbound-OnVp1i-oZ0q8mz15PGdx3W
-smtp_password=Tav_B5Y2mPUczTzdwFl3Mx7DGqb1FRpip0jX
+smtp_username=CHANGE_ME
+smtp_password=CHANGE_ME
 smtp_ssl=false
 smtp_tls=true
 
 # ID Obfuscation Salt
-wheels_id_salt=w4u6r7daKHAYMDLZXDgUcwn99RReNium
+wheels_id_salt=CHANGE_ME
 
 # Sentry Error Reporting
 # DSN format: https://<public_key>@<host>/<project_id>
-SENTRY_DSN=https://ce106d4b62c07150550f1fa56dee0c7b@o4510302287888384.ingest.us.sentry.io/4510693409816576
+SENTRY_DSN=CHANGE_ME
 SENTRY_ENVIRONMENT=production

deploy/prod/.env

@@ -17,9 +17,9 @@ Internet → Cloudflare (SSL termination) → cloudflared tunnel → Traefik (po
 
 | Method | Details |
 |--------|---------|
-| SSH | `ssh petera@10.100.10.234` (key-based auth; see vault for key) |
-| Docker context | `docker context create swarm --docker "host=ssh://petera@10.100.10.234"` |
-| Portainer | `https://portainer.apps.paiindustries.com` |
+| SSH | `ssh <username>@<manager-ip>` (key-based auth; see vault for key and credentials) |
+| Docker context | `docker context create swarm --docker "host=ssh://<username>@<manager-ip>"` |
+| Portainer | See vault for URL |
 
 Only key-based SSH access is available. Deploy commands run on any **manager node** (swarm-01, swarm-02, or swarm-03).
 
@@ -156,14 +156,10 @@ volumes:
 Applications can connect to the CockroachDB cluster via the VIP:
 
 ```
-postgresql://username:password@10.100.10.230:26257/database?sslmode=disable
+postgresql://username:password@<cockroachdb-vip>:26257/database?sslmode=disable
 ```
 
-| Database | User | Password |
-|----------|------|----------|
-| titan_sessiondb | titan_sessions | (see vault) |
-| paiman_db | paiman_user | (see vault) |
-| wheels_db | wheels_user | (see vault) |
+Database names, users, and passwords are stored in the vault. Contact the cluster admin for access.
 
 To request a new database/user, ask the cluster admin.
 
@@ -281,13 +277,7 @@ networks:
 
 ## Swarm Nodes
 
-| Hostname | IP | Role | Notes |
-|----------|----|------|-------|
-| swarm-01 | 10.100.10.234 | Manager (Leader) | Deploy here |
-| swarm-02 | 10.100.10.235 | Manager | |
-| swarm-03 | 10.100.10.245 | Manager | |
-| swarm-04 | 10.100.10.251 | Worker | |
-| VIP | 10.100.10.252 | Keepalived | Floats between nodes |
+Node hostnames, IPs, and roles are documented in the vault. The swarm consists of 3 manager nodes and 1 worker node with a Keepalived VIP.
 
 Each node: 16 vCPU, 64GB RAM, 200GB disk, CephFS at `/mnt/cephfs`.
 
@@ -307,10 +297,10 @@ Each node: 16 vCPU, 64GB RAM, 200GB disk, CephFS at `/mnt/cephfs`.
 
 | Tool | URL |
 |------|-----|
-| Portainer | `https://portainer.apps.paiindustries.com` |
-| Grafana | `https://grafana.apps.paiindustries.com` (see vault for credentials) |
-| Prometheus | `https://prometheus.apps.paiindustries.com` |
-| Traefik Dashboard | `http://10.100.10.234:8080` |
+| Portainer | See vault for URL |
+| Grafana | See vault for URL and credentials |
+| Prometheus | See vault for URL |
+| Traefik Dashboard | `http://<manager-ip>:8080` |
 
 Logs for any service: `docker service logs <service-name> --tail 100 -f`
 

deploy/stage/.env

@@ -11,7 +11,7 @@ services:
       DB_PORT: 1433
       DB_DATABASE: wheels_dev
       DB_USERNAME: sa
-      DB_PASSWORD: "@bjs0016"
+      DB_PASSWORD: "${MSSQL_SA_PASSWORD:-TestPassword123!}"
     ports:
       - "60151:60151" # change if your app uses a different port
     networks:
@@ -26,7 +26,7 @@ services:
     environment:
       ACCEPT_EULA: "Y"
       MSSQL_PID: "Express"
-      MSSQL_SA_PASSWORD: "@bjs0016"
+      MSSQL_SA_PASSWORD: "${MSSQL_SA_PASSWORD:-TestPassword123!}"
     ports:
       - "1433:1433"
     networks:

deploy/swarm/.env deploy/swarm/.env.exampledeploy/swarm/.env renamed to deploy/swarm/.env.example

@@ -6,7 +6,8 @@ LABEL maintainer "Wheels Core Team"
 USER root
 
 # Set environment variables
-ENV MSSQL_SA_PASSWORD="@bjs0016"
+ARG MSSQL_SA_PASSWORD=TestPassword123!
+ENV MSSQL_SA_PASSWORD=${MSSQL_SA_PASSWORD}
 ENV ACCEPT_EULA="Y"
 ENV MSSQL_PID="Express"