Environment variables and secrets

May 13, 2026 · View on GitHub

Deployment model

When checks run

  • CI: .github/workflows/ci.yml — manifest verification and related checks on every PR.
  • Deploy: setup-env.yml — same verification plus generated .env for the target environment.
  • Local (app/): bun run env-check after changing the manifest, .env.example, or compose / workflow env wiring (app/package.json env-check:*).

Consistency / drift

  • Manifest defines deploy variables (name, source, required/default, description).
  • CI fails if manifest keys are missing from .env.example or docker-compose.yml, or if unmanaged keys appear in compose or setup-env mappings.
  • The generated table in this file must match the manifest (regenerate with bun .github/scripts/generate-github-readme.ts when needed).
  • Deploy generation fails if a required GitHub var/secret is missing for the selected environment.
  • Some .env.example entries are local-only (e.g. DATABASE_URL_* for app/scripts/db-pull); they stay out of the manifest and setup-env mappings.

Security

  • Generated deploy env is not committed; production values live in GitHub Environments / Secrets.
  • /srv/.env: restrict on the host as needed (not world-readable); see deployment model and Operations (SSH).
  • Prefer runtime env over Docker build args for secrets.
  • Prefer AWS OIDC over long-lived access keys where applicable.

Operations (SSH)

  • cd /srv && docker compose logs app -f — needs readable /srv/.env (above permissions).
  • docker logs -f app — container logs only; does not read /srv/.env.

Source mapping (generated)

NameSourceRequiredDescription
ENVIRONMENTinputs.ENVIRONMENTyesDeployment target environment (staging|production).
DATABASE_HOSTvars.DATABASE_HOSTyesDatabase host used by app/processing and PG client variables.
DATABASE_USERsecrets.DATABASE_USERyesDatabase username. Sensitive.
DATABASE_PASSWORDsecrets.DATABASE_PASSWORDyesDatabase password. Sensitive.
DATABASE_NAMEsecrets.DATABASE_NAMEyesDatabase name.
PROCESS_GEOFABRIK_DOWNLOAD_URLvars.PROCESS_GEOFABRIK_DOWNLOAD_URLyesPBF download URL (internal/public Geofabrik extract).
PROCESS_GEOFABRIK_OAUTH_OSM_USERNAMEsecrets.PROCESS_GEOFABRIK_OAUTH_OSM_USERNAMEnoOptional Geofabrik OAuth username. Sensitive.
PROCESS_GEOFABRIK_OAUTH_OSM_PASSWORDsecrets.PROCESS_GEOFABRIK_OAUTH_OSM_PASSWORDnoOptional Geofabrik OAuth password. Sensitive.
TILES_URLvars.TILES_URLyesPublic tile endpoint hostname.
CACHELESS_URLvars.CACHELESS_URLyesCacheless tile endpoint hostname.
VITE_APP_ORIGINvars.VITE_APP_ORIGINyesPublic app origin.
VITE_APP_ENVvars.VITE_APP_ENVyesApp environment for client/server behavior.
APP_URLvars.APP_URLyesMain app hostname used by Traefik labels.
SESSION_SECRET_KEYsecrets.SESSION_SECRET_KEYyesSession signing secret. Sensitive.
OSM_CLIENT_IDsecrets.OSM_CLIENT_IDyesOSM OAuth client ID. Sensitive.
OSM_CLIENT_SECRETsecrets.OSM_CLIENT_SECRETyesOSM OAuth client secret. Sensitive.
S3_KEYsecrets.S3_KEYyesS3 access key. Sensitive.
S3_SECRETsecrets.S3_SECRETyesS3 secret key. Sensitive.
S3_REGIONsecrets.S3_REGIONyesS3 region.
S3_BUCKETsecrets.S3_BUCKETyesS3 bucket used by app/scripts.
ATLAS_API_KEYsecrets.ATLAS_API_KEYyesInternal atlas API key. Sensitive.
MAPROULETTE_API_KEYsecrets.MAPROULETTE_API_KEYyesMapRoulette API key. Sensitive.
BREVO_API_KEYsecrets.BREVO_API_KEYyesBrevo API key for transactional email delivery. Sensitive.
SKIP_DOWNLOADvars.SKIP_DOWNLOADnoProcessing flag (default 1). Default: 1.
SKIP_UNCHANGEDvars.SKIP_UNCHANGEDnoProcessing flag (default 0). Default: 0.
PROCESSING_DIFFING_MODEvars.PROCESSING_DIFFING_MODEyesDiffing mode for processing.
PROCESSING_DIFFING_BBOXvars.PROCESSING_DIFFING_BBOXyesDiffing bbox for processing.
ECR_REGISTRYvars.ECR_REGISTRYyesPrivate ECR registry URL used by docker-compose to pull images.