Skip to content

docs: Clarify environment variable usage and add .env.production #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 8, 2025
Merged

docs: Clarify environment variable usage and add .env.production #141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .env.production
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Production build-time environment variables
# IMPORTANT: This file is used during the build process only
# DO NOT put any secrets here - they would be exposed in the client bundle
# Only NEXT_PUBLIC_* variables should go here as they are meant to be public
# For secrets, use Cloudflare Workers secrets via 'wrangler secret put'

# Turnstile site key for production
NEXT_PUBLIC_TURNSTILE_SITE_KEY=0x4AAAAAABgaxmj8dZ-K1EyE
16 changes: 14 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,12 +155,24 @@ bucket_name = "ghostpaste-bucket"
NEXT_PUBLIC_APP_URL = "https://ghostpaste.dev"
```

For local development secrets, create `.dev.vars`:
For environment variables:

**Build-time variables** (`.env` or `.env.production`):

```bash
# Only NEXT_PUBLIC_* variables - these are embedded in the client bundle
NEXT_PUBLIC_TURNSTILE_SITE_KEY=your_public_site_key
```
# Any additional secrets go here

**Runtime secrets** (`.dev.vars` for local, `wrangler secret put` for production):

```bash
# Never put these in .env files!
TURNSTILE_SECRET_KEY=your_secret_key
```

⚠️ **Important**: Never put secrets in `.env` or `.env.production` files as they become part of the client bundle!

### Deployment

```bash
Expand Down
34 changes: 27 additions & 7 deletions docs/LOCAL_DEVELOPMENT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,33 @@ This guide explains how to set up and run GhostPaste locally for development.
```

3. **Set up local environment variables**
Create a `.dev.vars` file in the root directory:

GhostPaste uses different environment files for different purposes:

- **`.env`** - Build-time variables for local development (loaded by Next.js during build)
- **`.env.production`** - Build-time variables for production builds (PUBLIC variables only - NO SECRETS!)
- **`.dev.vars`** - Runtime secrets for local Wrangler development
- **Cloudflare Secrets** - Runtime secrets for production (via `wrangler secret put`)

Create these files as needed:

**`.env`** (for local build-time variables):

```bash
# Local development secrets
# Add any local development secrets here
# Example:
# API_SECRET=your-secret-here
# Public variables that are safe to expose in the client bundle
NEXT_PUBLIC_TURNSTILE_SITE_KEY=1x00000000000000000000AA
```

**`.dev.vars`** (for local runtime secrets):

```bash
# Runtime secrets - these are NOT exposed to the client
TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA
# Add other local development secrets here
```

**Important**: Never put secrets in `.env` or `.env.production` files as they are embedded in the client bundle during build!

## Development Workflows

### Standard Next.js Development
Expand Down Expand Up @@ -106,8 +125,9 @@ When using `npm run preview`, the following services are simulated locally:

### Environment Variables

- Development environment uses `env.development` from `wrangler.toml`
- Secrets loaded from `.dev.vars` file
- Build-time variables (NEXT*PUBLIC*\*) loaded from `.env` during build
- Runtime environment uses `env.development` from `wrangler.toml`
- Runtime secrets loaded from `.dev.vars` file
- `ENVIRONMENT=development` and `NEXT_PUBLIC_APP_URL=http://localhost:3000`

## Debugging
Expand Down
13 changes: 11 additions & 2 deletions docs/TURNSTILE_SETUP.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,23 @@ TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA

#### Production (Cloudflare Workers)

1. Update `wrangler.toml` with the public site key:
1. For production builds, create `.env.production`:

```bash
# IMPORTANT: Only put PUBLIC variables here - NO SECRETS!
NEXT_PUBLIC_TURNSTILE_SITE_KEY=your_site_key_here
```

**Warning**: `.env.production` is used at build time and variables are embedded in the client bundle. Never put secret keys here!

2. Alternatively, update `wrangler.toml` with the public site key:

```toml
[vars]
NEXT_PUBLIC_TURNSTILE_SITE_KEY = "your_site_key_here"
```

2. Set the secret key as a Cloudflare secret:
3. Set the secret key as a Cloudflare secret:

```bash
wrangler secret put TURNSTILE_SECRET_KEY
Expand Down