docs: update secrets documentation for multi-environment setup

zainfathoni · zainfathoni · commit 0d1c9789478b · 2026-01-10T16:33:09.000+07:00
- Split secrets into Repository (shared) and Environment (per-env)
- Add environment: production to deploy job
- Use dummy values for E2E test secrets (not needed for testing)
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -176,15 +176,16 @@ jobs:
         run: npm run test:e2e:run
         env:
           CI: true
-          SESSION_SECRET: ${{ secrets.SESSION_SECRET }}
-          MAGIC_LINK_SECRET: ${{ secrets.MAGIC_LINK_SECRET }}
+          SESSION_SECRET: test-session-secret
+          MAGIC_LINK_SECRET: test-magic-link-secret
           MAILGUN_SENDING_KEY: nothing
           MAILGUN_DOMAIN: nothing
 
   deploy:
     name: Deploy to production
     runs-on: ubuntu-latest
     needs: [lint, type-check, unit-test, e2e-test]
+    environment: production
     # Only run on push to main (not on PRs)
     if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
 
diff --git a/docs/deployment.md b/docs/deployment.md
@@ -22,18 +22,29 @@ Deployment is automated via GitHub Actions:
 
 ## Required GitHub Secrets
 
-Configure these secrets in your repository settings
-(`Settings > Secrets and variables > Actions`):
+Configure secrets in `Settings > Secrets and variables > Actions`.
+
+### Repository Secrets (shared across environments)
 
 | Secret                    | Description                                              |
 | ------------------------- | -------------------------------------------------------- |
 | `SSH_PRIVATE_KEY`         | SSH private key for accessing the VPS                    |
 | `KAMAL_REGISTRY_PASSWORD` | GitHub Personal Access Token with `write:packages` scope |
-| `SESSION_SECRET`          | Session encryption secret                                |
-| `MAGIC_LINK_SECRET`       | Magic link email authentication secret                   |
 | `MAILGUN_SENDING_KEY`     | Mailgun API key for sending emails                       |
 | `MAILGUN_DOMAIN`          | Mailgun domain (e.g., `mg.rumahberbagi.com`)             |
 
+### Environment Secrets (per environment)
+
+Create two environments: `production` and `staging` in
+`Settings > Environments`. Add these secrets to each:
+
+| Secret              | Description                            |
+| ------------------- | -------------------------------------- |
+| `SESSION_SECRET`    | Session encryption secret              |
+| `MAGIC_LINK_SECRET` | Magic link email authentication secret |
+
+**Note:** Use different values for each environment to isolate auth tokens.
+
 ### SSH Key Setup
 
 1. Generate an SSH key pair (if not already done):
