# release-kit .env template
# -------------------------
# Copy to `.env` (which is gitignored) and fill in for local dev.
# For CI, set the same variables as repository / environment secrets.
#
# Every value below is a PLACEHOLDER. Real tokens never live in
# this file. In production, prefer OIDC trusted publishing (no
# token at all). See docs/playbook/cross-cutting/oidc-matrix.md.


# === PyPI ===
# OIDC-preferred. Token only for local dev / first-bootstrap upload.
# Scope: per-project (entire-account only for first publish).
PYPI_TOKEN=pypi-YOUR-TOKEN-HERE


# === npm (registry.npmjs.org) ===
# Use an Automation Token for CI (bypasses 2FA).
# Scope: Read + Write on the specific package.
NPM_TOKEN=npm_YOUR-TOKEN-HERE


# === npm via GitHub Packages ===
# Uses your GitHub token; see GITHUB_TOKEN below.
# Scope: packages:read + packages:write.


# === npm via GitLab Package Registry ===
# Use CI_JOB_TOKEN in pipelines; deploy token for external CI.
# Scope: write_package_registry.
GITLAB_NPM_TOKEN=glpat-YOUR-TOKEN-HERE


# === Docker Hub ===
# Access token, per-namespace, Read+Write+Delete.
DOCKERHUB_USERNAME=my-dockerhub-user
DOCKERHUB_TOKEN=dckr_pat_YOUR-TOKEN-HERE


# === GHCR (GitHub Container Registry) ===
# Use workflow GITHUB_TOKEN in CI; PAT for local dev only.
# Scope: packages:write (and contents:read for the source).
# Falls through to GITHUB_TOKEN if unset.
# GHCR_TOKEN=ghp_YOUR-TOKEN-HERE


# === GitLab Container Registry ===
# CI_JOB_TOKEN in pipelines; deploy token externally.
# Scope: write_registry.
GITLAB_REGISTRY_TOKEN=glpat-YOUR-TOKEN-HERE


# === AWS ECR ===
# Prefer OIDC via aws-actions/configure-aws-credentials.
# IAM access keys only when OIDC isn't available.
AWS_ACCESS_KEY_ID=AKIA-YOUR-KEY-HERE
AWS_SECRET_ACCESS_KEY=YOUR-SECRET-HERE
AWS_REGION=us-east-1


# === Google Artifact Registry ===
# Prefer Workload Identity Federation. JSON key as fallback.
# GOOGLE_APPLICATION_CREDENTIALS points at a downloaded key file
# (NEVER paste the key contents inline here).
GOOGLE_APPLICATION_CREDENTIALS=/absolute/path/to/sa-key.json


# === Azure Container Registry ===
# Prefer OIDC federation via azure/login@v2. SP secret as fallback.
AZURE_CLIENT_ID=YOUR-APP-ID
AZURE_TENANT_ID=YOUR-TENANT-ID
AZURE_SUBSCRIPTION_ID=YOUR-SUB-ID
AZURE_CLIENT_SECRET=YOUR-SP-SECRET-HERE


# === Homebrew tap ===
# PAT scoped to the tap repo for cross-repo PR.
# Scope: Contents: Read & write, Pull requests: Read & write.
TAP_GITHUB_TOKEN=ghp_YOUR-TOKEN-HERE


# === Maven Central ===
# Central Portal API token (new path).
CENTRAL_TOKEN_USER=YOUR-PORTAL-USER
CENTRAL_TOKEN_VALUE=YOUR-PORTAL-TOKEN
# GPG signing (required by Central; not by release-kit itself).
GPG_PRIVATE_KEY="-----BEGIN PGP PRIVATE KEY BLOCK-----..."
GPG_PASSPHRASE=YOUR-PASSPHRASE


# === RubyGems ===
# Prefer OIDC trusted publisher (since 2024).
# Token only for legacy / non-GH-Actions paths.
RUBYGEMS_API_KEY=rubygems_YOUR-KEY-HERE


# === crates.io ===
# Scope: publish-new + publish-update for first release; narrower for updates.
CARGO_REGISTRY_TOKEN=crates-io-YOUR-TOKEN-HERE


# === NuGet ===
# Glob-scoped API key (e.g., "MyOrg.*").
NUGET_API_KEY=nuget-YOUR-KEY-HERE


# === Packagist ===
PACKAGIST_USER=my-packagist-user
PACKAGIST_TOKEN=packagist-YOUR-TOKEN-HERE


# === GitHub.com ===
# In CI, the workflow GITHUB_TOKEN is auto-injected; don't set this.
# Locally: fine-grained PAT scoped to the repo with required perms.
GITHUB_TOKEN=ghp_YOUR-TOKEN-HERE


# === GitHub Enterprise (Cloud / Server) ===
# Override the API host for non-github.com:
# GH_HOST=github.example.com
# Same GITHUB_TOKEN env var (or the SSO-authorised PAT).


# === GitLab.com ===
# Project / group access token preferred over PAT.
# Scope: api (or narrower set).
GITLAB_TOKEN=glpat-YOUR-TOKEN-HERE


# === GitLab Self-Managed ===
# GL_HOST=gitlab.example.com
# Same GITLAB_TOKEN env var.


# === Bitbucket Cloud ===
BITBUCKET_USERNAME=my-bitbucket-user
BITBUCKET_APP_PASSWORD=ATBB-YOUR-PASSWORD-HERE


# === Bitbucket Data Center ===
# BITBUCKET_DC_HOST=bitbucket.example.com
# HTTP Access Token preferred.
BITBUCKET_DC_TOKEN=YOUR-HTTP-TOKEN-HERE


# === Gitea / Forgejo ===
# GITEA_HOST=gitea.example.com  (or codeberg.org for Forgejo SaaS)
GITEA_TOKEN=YOUR-TOKEN-HERE


# === Azure DevOps ===
AZURE_DEVOPS_ORG=https://dev.azure.com/my-org
AZURE_DEVOPS_PAT=YOUR-PAT-HERE


# === release-kit operational ===
# Set this to "1" to allow falling back from OIDC to a long-lived
# token without --allow-token-auth on the CLI. Default is "0".
RELEASE_KIT_ALLOW_TOKEN_AUTH=0
