# Variables, secrets and bindings

## Plaintext variables

- `GITHUB_OWNER` — repository owner, for example `yirassssindaba-coder`.
- `GITHUB_REPO` — repository name to monitor.
- `ARGOCD_BASE_URL` — public HTTPS base URL of the Argo CD API.
- `APPLICATION_HEALTH_URL` — safe public application health endpoint.
- `METRICS_HEALTH_URL` — safe public monitoring health endpoint.

## Secrets

- `GITHUB_TOKEN` — fine-grained token. Use Actions read and Contents read for dashboard data; Actions write is needed only for workflow dispatch.
- `ARGOCD_TOKEN` — Argo CD API token with read access to applications.
- `GITHUB_WEBHOOK_SECRET` — shared secret used to verify `X-Hub-Signature-256`.
- `DEVOPS_ADMIN_TOKEN` — protects `POST /api/actions/dispatch`.

## Easy D1 database binding

The platform works without D1, but persistent webhook and workflow-dispatch audit history requires one binding:

- Type: D1 database
- Variable name: `DB`
- Schema setup: automatic
- SQL import: not required

After binding, redeploy and open `/database-setup.html`.

Never put credentials in browser JavaScript, ZIP source, URLs, screenshots, README files or Git history.
