Deployments

GitHub Secrets

Repository and environment secrets required for the deployment workflows.

GitHub Secrets

All values previously tracked in GITHUB_SECRETS.md now live here. Configure them under Settings → Secrets and variables → Actions to keep GitHub Actions deployable.

Repository secrets (shared)

NamePurpose
AZURE_CLIENT_ID / AZURE_CLIENT_SECRET / AZURE_SUBSCRIPTION_ID / AZURE_TENANT_IDAzure service principal used by every workflow. Create via az ad sp create-for-rbac ... --sdk-auth.
AZURE_REGISTRY_NAMEAzure Container Registry name (echoregistry or similar).
AZURE_REGISTRY_USERNAME / AZURE_REGISTRY_PASSWORDRetrieved via az acr credential show --name <registry>. Enables docker push/pull.

Optional but recommended repository-level secrets:

  • NEXT_PUBLIC_SITE_URL – used by docs builds.
  • SLACK_WEBHOOK_URL – migration alerts (see MIGRATION_SETUP.md).

Development environment secrets

Scope each value to the development environment in GitHub Actions. These feed Terraform variables and container app secrets.

CategoryKeys
DatabasePOSTGRES_ADMIN_PASSWORD
API authSERVER_API_KEYS (comma-separated)
TelephonyTWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN
LiveKitLIVEKIT_API_KEY, LIVEKIT_API_SECRET, LIVEKIT_URL, LIVEKIT_SIP_URI
AI modelsAZURE_OPENAI_ENDPOINT, AZURE_OPENAI_REALTIME_ENDPOINT, AZURE_OPENAI_API_KEY, ELEVEN_API_KEY
StorageAZURE_STORAGE_ACCOUNT_NAME, AZURE_STORAGE_ACCOUNT_KEY, AZURE_STORAGE_CONTAINER_NAME

Populate them with dev-specific values so shared infrastructure stays isolated.

Production environment secrets

The same list as above, suffixed with _PROD:

POSTGRES_ADMIN_PASSWORD_PROD
SERVER_API_KEYS_PROD
TWILIO_ACCOUNT_SID_PROD
TWILIO_AUTH_TOKEN_PROD
LIVEKIT_API_KEY_PROD
LIVEKIT_API_SECRET_PROD
LIVEKIT_URL_PROD
LIVEKIT_SIP_URI_PROD
AZURE_OPENAI_ENDPOINT_PROD
AZURE_OPENAI_REALTIME_ENDPOINT_PROD
AZURE_OPENAI_API_KEY_PROD
ELEVEN_API_KEY_PROD
AZURE_STORAGE_ACCOUNT_NAME_PROD
AZURE_STORAGE_ACCOUNT_KEY_PROD
AZURE_STORAGE_CONTAINER_NAME_PROD

Lock production secrets behind environment protection rules (required reviewers, timers, and branch restrictions) so only intentional workflows can access them.

How to create them quickly

# Repo secrets
gh secret set AZURE_CLIENT_ID --body "$CLIENT_ID"
gh secret set AZURE_CLIENT_SECRET --body "$CLIENT_SECRET"

# Environment secrets
gh secret set POSTGRES_ADMIN_PASSWORD --env development --body "dev-password"
gh secret set POSTGRES_ADMIN_PASSWORD_PROD --env production --body "prod-password"

Use terraform output -raw ... in packages/terraform/<env> to pull registry and database connection details once the infrastructure is up.

Verifying secrets

  • gh secret list – repository scope.
  • gh secret list --env development – environment scope.
  • GitHub Actions UI will annotate runs if a referenced secret is missing.

With these values in place, the workflows in Auto-Deployment Flow can authenticate to Azure, push images, and hydrate Container Apps without manual intervention.

Custom Domains

Configure dev and prod hostnames (docs/api/agent) on Azure Container Apps.

Create a Company

Use the Companies API to register a tenant before adding agents.

On this page

GitHub SecretsRepository secrets (shared)Development environment secretsProduction environment secretsHow to create them quicklyVerifying secrets