A.4 - Required Secrets and Variables¶
| Secret / Variable | Scope | Description |
|---|---|---|
SFDX_AUTH_URL_PROD |
Repository or env | SFDX auth URL for the production org. Consumed by pr-prod.yml (Apex tests + validation) and the scheduled workflows (drift, tests). |
SFDX_AUTH_URL_STAGING |
Repository or env | SFDX auth URL for the staging / UAT / integration org. Consumed by pr-staging.yml. |
CODECOV_TOKEN |
Repository | CodeCov upload token (required for private repositories). Consumed by both the PR and full-org Apex test workflows and by Jest tests. |
SLACK_WEBHOOK_URL |
Repository | Slack incoming webhook URL for failure/release notifications. Consumed by all scheduled workflows and the release-please workflow. |
RELEASE_PLEASE_TOKEN |
Repository | PAT or GitHub App token with contents:write and pull-requests:write. Required for Release Please to open PRs that trigger CI runs. |
GITHUB_TOKEN |
Automatic | Provided automatically by GitHub. Used for PR comments, label assignment, and issue creation. |
Teams using JWT bearer flow instead of SFDX auth URLs should replace the SFDX_AUTH_URL_* secrets with the corresponding SF_JWT_KEY_*, SF_CLIENT_ID_*, SF_<ENV>_USERNAME, and SF_<ENV>_INSTANCE_URL variables and swap the sf-auth-sfdx-url composite action for sf-auth-jwt in the consuming workflows (A.2.8, A.2.9, A.2.10, A.2.11, A.2.12).