Skip to content

A.4 - Required Secrets and Variables

Secret / Variable Scope Description
SFDX_AUTH_URL_PROD Repository or env SFDX auth URL for the production org. Consumed by pr-prod.yml (Apex tests + validation) and the scheduled workflows (drift, tests).
SFDX_AUTH_URL_STAGING Repository or env SFDX auth URL for the staging / UAT / integration org. Consumed by pr-staging.yml.
CODECOV_TOKEN Repository CodeCov upload token (required for private repositories). Consumed by both the PR and full-org Apex test workflows and by Jest tests.
SLACK_WEBHOOK_URL Repository Slack incoming webhook URL for failure/release notifications. Consumed by all scheduled workflows and the release-please workflow.
RELEASE_PLEASE_TOKEN Repository PAT or GitHub App token with contents:write and pull-requests:write. Required for Release Please to open PRs that trigger CI runs.
GITHUB_TOKEN Automatic Provided automatically by GitHub. Used for PR comments, label assignment, and issue creation.

Teams using JWT bearer flow instead of SFDX auth URLs should replace the SFDX_AUTH_URL_* secrets with the corresponding SF_JWT_KEY_*, SF_CLIENT_ID_*, SF_<ENV>_USERNAME, and SF_<ENV>_INSTANCE_URL variables and swap the sf-auth-sfdx-url composite action for sf-auth-jwt in the consuming workflows (A.2.8, A.2.9, A.2.10, A.2.11, A.2.12).