-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
111 lines (97 loc) · 4.95 KB
/
Copy path.env.example
File metadata and controls
111 lines (97 loc) · 4.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# ---------------------------------------------------------------------------
# SECURITY NOTE: This file is a template — copy it to .env and fill in real
# values. The .env file is excluded from git, but it still stores secrets as
# plaintext on disk, readable by any process with filesystem access (including
# AI coding tools). For better security, keep secrets out of .env entirely:
#
# 1Password (recommended for individuals):
# Replace values with op:// references, then run:
# op run --env-file=.env -- uv run python triage.py ...
# op run --env-file=.env -- uv run python -m worker
#
# Shell only (no .env file):
# export GITHUB_TOKEN=... in ~/.zshrc or equivalent
#
# Outside the repo:
# uv run --env-file ~/.config/dependency-scout/.env python triage.py ...
#
# See docs/security.md for details.
# ---------------------------------------------------------------------------
# Temporal — local dev server (default)
TEMPORAL_ADDRESS=localhost:7233
TEMPORAL_NAMESPACE=default
TEMPORAL_TASK_QUEUE=default
TEMPORAL_UI_BASE_URL=http://localhost:8233
# Temporal Cloud — uncomment and fill in if using Temporal Cloud instead
# TEMPORAL_ADDRESS=your-namespace.tmprl.cloud:7233
# TEMPORAL_NAMESPACE=your-namespace.abc12
# TEMPORAL_UI_BASE_URL=https://cloud.temporal.io
# TEMPORAL_TLS_CERT=/path/to/client.pem
# TEMPORAL_TLS_KEY=/path/to/client.key
# ---------------------------------------------------------------------------
# Classifier — pick one; defaults to Claude if ANTHROPIC_API_KEY is set,
# otherwise falls back to the built-in rule-based classifier (no API key needed).
# Valid built-in values: claude, openai, ollama, rule_based
# CLASSIFIER=claude
# ---------------------------------------------------------------------------
# Anthropic (Claude classifier — recommended)
# Get a key at: console.anthropic.com → API Keys
ANTHROPIC_API_KEY=
ANTHROPIC_MODEL=claude-sonnet-4-6
# OpenAI (alternative classifier — set CLASSIFIER=openai to activate)
# Get a key at: platform.openai.com/api-keys
# OPENAI_API_KEY=
# OPENAI_MODEL=gpt-4o
# Ollama (local LLM — set CLASSIFIER=ollama to activate, no API key needed)
# OLLAMA_HOST=http://localhost:11434
# OLLAMA_MODEL=llama3.2
# ---------------------------------------------------------------------------
# GitHub — use a PAT for local testing, GitHub App for production
# ---------------------------------------------------------------------------
# Quickest option: classic PAT with 'public_repo' scope
# github.com → Settings → Developer settings → Personal access tokens → Tokens (classic)
# Tick: public_repo (gives comment + read access on public repos)
#
# Fine-grained PAT (more secure, but org repos require org approval):
# Tokens (fine-grained) → Only select repositories → Repository permissions:
# Contents: Read-only, Pull requests: Read and write, Metadata: Read-only
# (triage.py only needs Read — write is required to post PR comments)
#
# See docs/security.md for the full breakdown.
GITHUB_TOKEN=
# GitHub App (production — swap in once App registration is done)
GITHUB_APP_ID=
# Path to the downloaded .pem file:
GITHUB_APP_PRIVATE_KEY_PATH=
# Alternative: paste the PEM content inline (deployment-friendly, no file needed):
GITHUB_APP_PRIVATE_KEY=
# Run `uv run python setup.py` to generate this automatically, or:
# python -c "import secrets; print(secrets.token_hex(32))"
GITHUB_WEBHOOK_SECRET=
# ---------------------------------------------------------------------------
# GitLab (optional — only needed for GitLab-hosted repos)
# ---------------------------------------------------------------------------
# GITLAB_TOKEN: personal access token with 'api' scope
# gitlab.com → User Settings → Access Tokens → add token → tick: api
# GITLAB_TOKEN=
# GITLAB_WEBHOOK_SECRET=
# GITLAB_BASE_URL=https://gitlab.com # override for self-hosted instances
# ---------------------------------------------------------------------------
# Signal enrichment APIs (all optional — graceful degradation without them)
# ---------------------------------------------------------------------------
# Socket.dev — supply chain risk scoring and malware alerts
# Create a token at https://socket.dev/dashboard/settings/api-tokens
# Required scope: packages:list
SOCKET_API_KEY=
# OpenSSF Scorecard — repo security hygiene signals (no key required,
# but a GITHUB_TOKEN above is used to avoid rate limits)
# OSV — vulnerability lookup (no key required, uses public API)
# deps.dev — deprecation signals (no key required, uses public API)
# ---------------------------------------------------------------------------
# Operator defaults (override per-repo via .github/triage-agent.yml)
# ---------------------------------------------------------------------------
DEFAULT_MIN_RELEASE_AGE_HOURS=168
# ---------------------------------------------------------------------------
# Local testing overrides
# ---------------------------------------------------------------------------
ENABLE_PR_ACTIONS=false