Secrets & Configuration

Guardrails

• Backend: GCP Secret Manager
• Frontend: Vercel env vars (frontend‑only)
• CI → Cloud: GitHub OIDC → GCP (no long‑lived keys)
• Config validation: Zod at startup
• Secret scanning: gitleaks (pre‑commit + CI)
• Rotation: every 90 days; owners tracked

import { z } from 'zod';

const Schema = z.object({
  FIREBASE_PROJECT_ID: z.string(),
  SENTRY_DSN: z.string().url().optional(),
});

export const env = Schema.parse({
  FIREBASE_PROJECT_ID: process.env.FIREBASE_PROJECT_ID,
  SENTRY_DSN: process.env.SENTRY_DSN,
});

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
          service_account: ${{ secrets.GCP_SA_EMAIL }}
      - uses: google-github-actions/setup-gcloud@v2
      - run: gcloud --quiet components install beta
      - run: pnpm i && pnpm build && firebase deploy --only functions

LLM Notes

• Do not hard‑code secrets. Read via env and validate with Zod.