GitHub Actions secrets
Last verified against GitHub UI as of 2026-04-28.
What this records
Section titled “What this records”Every CI workflow in this repo authenticates to external services via repo secrets. This page is the inventory: which secrets exist, what they’re for, who owns rotation, and what happens if one is missing or compromised.
Inventory
Section titled “Inventory”| Secret | Used by | Purpose | Owner / rotation |
|---|---|---|---|
AUTOSTAMP_APP_ID | auto-stamp.yml | Numeric ID of the bioflow-autostamp GitHub App | Org admin (regenerate by viewing the App’s settings page) |
AUTOSTAMP_APP_PRIVATE_KEY | auto-stamp.yml | Private key (PEM) for the bioflow-autostamp App, used to mint short-lived installation tokens | Org admin (regenerate via the App’s “Generate a private key” button; old keys can be revoked) |
VISIONTRACE_TOKEN | pr_branch_tests.yml | Fine-grained PAT with read access to the private VisionTrace repo (used to pip install VisionTrace at CI time) | Org admin |
ANTHROPIC_API_KEY | pr_branch_tests.yml | API key for the LLM used by VisionTrace’s verification steps | Team lead |
BIOFLOW_CI_LICENSE_KEY | pr_branch_tests.yml | License key consumed by the ensure_licensed fixture so VisionTrace tests can pass the first-launch license gate | Boss / licensing admin |
BIOFLOW_BINARIES_TOKEN | pr_branch_tests.yml | PAT with read access to the private bioflow_binaries repo (the zsig_plugin Flutter package) | Org admin |
SLACK_TOKEN | pr_branch_tests.yml | Slack bot token for notifications + installer file uploads to #build-development | Team lead |
SENTRY_AUTH_TOKEN | pr_branch_tests.yml | Sentry auth token used by dart run sentry_dart_plugin to upload debug symbols | Team lead |
GITHUB_TOKEN | All workflows (auto-injected) | Default token GitHub provides per workflow run; insufficient permission to push to a protected main, so auto-stamp uses the App token instead | GitHub-managed |
Where secrets are configured
Section titled “Where secrets are configured”https://github.com/Corona-Project-Life/Bioflow-Pro/settings/secrets/actionsOrg-level secrets (visible to all org repos) are managed at:
https://github.com/organizations/Corona-Project-Life/settings/secrets/actionsThis repo currently uses repo-level secrets only — easier to track per-product ownership.
Rotation
Section titled “Rotation”| Trigger | Action |
|---|---|
| Routine — annually | Rotate any token with no expiry; regenerate App private keys |
| Suspected compromise | Revoke the old token / key immediately, then issue a fresh one and update the secret |
| Personnel change (someone with admin access leaves the org) | Rotate any token they could have read |
| Tool version upgrade requiring new scopes | Reissue with the new scope set |
After any rotation, run a workflow_dispatch of pr_branch_tests.yml and auto-stamp.yml against a known-good ref to confirm the new secret is functional.
What happens if a secret is missing or invalid
Section titled “What happens if a secret is missing or invalid”| Secret | Symptom |
|---|---|
AUTOSTAMP_APP_ID / AUTOSTAMP_APP_PRIVATE_KEY | actions/create-github-app-token step fails; auto-stamp doesn’t run; PR merges but no REVIEWED_HASH is written |
VISIONTRACE_TOKEN | uv pip install visiontrace[dev] @ git+https://... returns 403; PR pipeline fails at the install step |
ANTHROPIC_API_KEY | VisionTrace verify steps fail at LLM call; ST tests turn red |
BIOFLOW_CI_LICENSE_KEY | ensure_licensed fixture skips with a clear message; no ST tests run |
BIOFLOW_BINARIES_TOKEN | flutter pub get fails at clone step (the private dep can’t authenticate) |
SLACK_TOKEN | Slack notifications skip silently (continue-on-error: true) |
SENTRY_AUTH_TOKEN | Sentry upload step fails; build job goes red |
All of these are recoverable by adding/correcting the secret and retriggering the workflow.
Auditor checklist
Section titled “Auditor checklist”For an external review of the secret inventory:
- Confirm every entry in the table above has a corresponding repo secret of the same name (visit the Secrets page; secret values are masked, but names and last-modified dates are visible)
- Confirm there are no extra secrets not in the table — extras represent unmaintained credentials
- Confirm the
bioflow-autostampApp’s permissions match the auto-stamp App playbook - Confirm rotation history (last-modified dates) aligns with the rotation policy above