CI/CD Secrets Reference
December 9, 2025 · View on GitHub
Overview
This document provides a comprehensive reference for all secrets and environment variables used in the tree-sitter-analyzer CI/CD workflows.
Required Secrets
1. CODECOV_TOKEN
Purpose: Upload test coverage reports to Codecov
Used By:
- develop-automation.yml
- release-automation.yml
- hotfix-automation.yml
- ci.yml
How to Obtain:
- Visit https://codecov.io/
- Sign in with GitHub account
- Navigate to the tree-sitter-analyzer repository
- Go to Settings → General
- Copy the repository upload token
How to Set:
- Go to GitHub repository Settings
- Navigate to Secrets and variables → Actions
- Click "New repository secret"
- Name:
CODECOV_TOKEN - Value: Paste the token from Codecov
- Click "Add secret"
Failure Impact: Coverage reports won't be uploaded, but workflows will continue (non-blocking)
2. PYPI_API_TOKEN
Purpose: Deploy packages to PyPI
Used By:
- release-automation.yml
- hotfix-automation.yml
How to Obtain:
- Visit https://pypi.org/
- Sign in to your account
- Go to Account settings → API tokens
- Click "Add API token"
- Name:
tree-sitter-analyzer-deploy - Scope: Select "Project: tree-sitter-analyzer"
- Click "Add token"
- Copy the token (starts with
pypi-)
How to Set:
- Go to GitHub repository Settings
- Navigate to Secrets and variables → Actions
- Click "New repository secret"
- Name:
PYPI_API_TOKEN - Value: Paste the token from PyPI
- Click "Add secret"
Failure Impact: Deployment to PyPI will fail (blocking for release/hotfix workflows)
Security Notes:
- Never commit this token to version control
- Rotate token if compromised
- Use project-scoped tokens (not account-wide)
- Store securely in GitHub Secrets only
3. GITHUB_TOKEN
Purpose: Create pull requests and interact with GitHub API
Used By:
- develop-automation.yml
- release-automation.yml
- hotfix-automation.yml
How to Obtain: Automatically provided by GitHub Actions (no manual setup required)
Permissions Required:
permissions:
contents: write
pull-requests: write
Failure Impact: PR creation will fail (blocking)
Notes:
- Automatically available in all workflows
- Permissions are set in workflow files
- No manual configuration needed
Environment Variables
Workflow-Level Variables
PYTHON_VERSION
Purpose: Specify Python version for quality checks and coverage
Default: 3.11
Used By: All workflows
Configuration:
inputs:
python-version:
default: '3.11'
type: string
UV_SYSTEM_PYTHON
Purpose: Configure uv to use system Python
Default: 1
Used By: All workflows
Configuration:
env:
UV_SYSTEM_PYTHON: 1
Test Matrix Variables
matrix.os
Purpose: Operating system for test execution
Values:
ubuntu-latestwindows-latestmacos-latest
Used By: All test jobs
matrix.python-version
Purpose: Python version for test execution
Values:
"3.10""3.11""3.12""3.13"
Used By: All test jobs
Secret Management Best Practices
Security Guidelines
-
Never Commit Secrets
- Never commit secrets to version control
- Use
.gitignorefor local secret files - Use GitHub Secrets for CI/CD
-
Rotate Regularly
- Rotate PYPI_API_TOKEN every 6 months
- Rotate CODECOV_TOKEN if compromised
- Update GitHub Secrets after rotation
-
Limit Scope
- Use project-scoped tokens when possible
- Avoid account-wide tokens
- Use minimal required permissions
-
Monitor Usage
- Review GitHub Actions logs regularly
- Monitor for unauthorized access
- Set up alerts for failed authentications
Access Control
-
Repository Settings
- Limit who can modify secrets
- Require admin approval for secret changes
- Enable audit logging
-
Branch Protection
- Require status checks before merging
- Require pull request reviews
- Restrict who can push to protected branches
-
Workflow Permissions
- Use minimal required permissions
- Explicitly declare permissions in workflows
- Review permissions regularly
Troubleshooting
CODECOV_TOKEN Issues
Symptom: Coverage upload fails
Solutions:
- Verify token is set correctly in GitHub Secrets
- Check token hasn't expired
- Verify repository is configured in Codecov
- Check Codecov service status
Workaround: Coverage upload failures don't block workflows
PYPI_API_TOKEN Issues
Symptom: Deployment to PyPI fails with 403 Forbidden
Solutions:
- Verify token is set correctly in GitHub Secrets
- Check token hasn't been revoked
- Verify token has correct project scope
- Generate new token if needed
Workaround: None - deployment requires valid token
GITHUB_TOKEN Issues
Symptom: PR creation fails with permission errors
Solutions:
- Verify workflow has correct permissions
- Check branch protection rules
- Verify GitHub Actions is enabled
- Check repository settings
Workaround: Manually create PR if automated creation fails
Verification Checklist
Before deploying workflows, verify:
- CODECOV_TOKEN is set in GitHub Secrets
- PYPI_API_TOKEN is set in GitHub Secrets (for release/hotfix)
- GITHUB_TOKEN permissions are configured in workflows
- All secrets are valid and not expired
- Repository is configured in Codecov
- PyPI project exists and token has access
- Branch protection rules are configured
- GitHub Actions is enabled for repository
Secret Rotation Procedure
Rotating CODECOV_TOKEN
- Generate new token in Codecov
- Update GitHub Secret with new token
- Trigger test workflow to verify
- Revoke old token in Codecov
Rotating PYPI_API_TOKEN
- Generate new token in PyPI
- Update GitHub Secret with new token
- Test deployment on test release branch
- Revoke old token in PyPI
Emergency Revocation
If a secret is compromised:
- Immediately revoke the token in the source service (Codecov/PyPI)
- Generate new token with different name
- Update GitHub Secret with new token
- Review logs for unauthorized usage
- Document incident for future reference