Skip to content

GitHub Environment Variables Reference

Each CampusCore client requires a GitHub Environment with the following secrets and variables. The environment name must match the client identifier used in deployment (e.g., vsu_pilot, howard).


Repo-Level Configuration (Set Once)

These are shared across all client environments.

Type Name Description
Secret ADMIN_AWS_ROLE_ARN Our admin account's IAM role ARN (for Terraform state access)
Secret SLACK_BOT_TOKEN Bot User OAuth Token (xoxb-...) for the CampusCore Slack app. Used by every tenant's deploy unless overridden at the env level. See Slack Setup. Leave unset to disable Slack workflow notifications across all envs.
Variable CAMPUSCORE_HOSTED_ZONE_ID Route53 hosted zone ID for campuscoreai.com (Z03938461UVED2L50LENJ)

Environment Variables (Per-Client, Non-Sensitive)

Variable Example Description
AWS_ROLE_ARN arn:aws:iam::123456789012:role/CampusCore-Deploy-Role Client's deploy role ARN (created by client via CloudFormation)
AWS_REGION us-east-1 AWS region for deployment (defaults to us-east-1 if omitted)
TF_STATE_BUCKET campuscore-tfstate-howard S3 bucket for this client's Terraform state
CUSTOM_DOMAIN_WITH_PROTOCOL https://ai.howard.edu Full URL including protocol. Auto-computed when ENABLE_CUSTOM_DOMAIN_WITH_SSL is true
ENABLE_CUSTOM_DOMAIN_WITH_SSL true Set to true to provision {env}.campuscoreai.com subdomain + ACM certificate + HTTPS. Defaults to false

SSO Configuration

SSO providers (SAML, OIDC) are configured via the Django admin panel after deployment — no GitHub Environment variables needed. See Post-Deployment Step 4b.

Observability (Sentry)

All optional except SENTRY_DSN. Workflow defaults apply when a variable is unset. See Sentry Setup for the full operator playbook (creating the Sentry project, picking shared vs per-tenant, Slack/GitHub integration, troubleshooting).

Variable Example Description
SENTRY_ENVIRONMENT vsu-troy-pilot Sentry environment tag for filtering. Defaults to the GitHub Environment name via Terraform fallback if unset.
SENTRY_TRACES_SAMPLE_RATE 0.2 Fraction of transactions sampled for performance tracing. Workflow default: 0.2.
SENTRY_ENABLE_LOGS true Whether to ship logs to Sentry's Logs product. Workflow default: true. Set to false to send only errors + traces.
SENTRY_PROFILES_SAMPLE_RATE 0.0 CPU profiling sample rate. Workflow default: 0.0 (disabled).

RELEASE_SHA is auto-set from ${{ github.sha }} by the deploy workflow — no manual config required.

Notifications (Slack workflow_runs)

All optional. Setting them lights up start/complete/fail messages from the index health check, HNSW rebuild, and scrape pipelines. See Slack Setup for the operator playbook (creating the app, channel, inviting the bot, troubleshooting).

Variable Example Description
SLACK_CHANNEL_WORKFLOW_RUNS C0B4C4Q57HP Channel ID, not name. The Slack channel the bot posts to for this tenant. ⚠ Must be set as a variable, not a secret — the workflow reads ${{ vars.SLACK_CHANNEL_WORKFLOW_RUNS }}. Leaving empty disables Slack posts for this tenant only.

Index Maintenance Scheduling

All optional. The defaults keep the EventBridge schedule off (manual checks/rebuilds via the dashboard only). Opt in per environment once the metrics are calibrated. See Vector Index Observability.

Variable Example Description
ENABLE_INDEX_MAINTENANCE_SCHEDULE true When true, Terraform creates the daily EventBridge schedule that runs auto_rebuild_if_justified. Workflow default: false.
INDEX_MAINTENANCE_SCHEDULE_CRON cron(0 6 * * ? *) EventBridge cron expression for the schedule. Workflow default: cron(0 6 * * ? *) (06:00 UTC daily).

Environment Secrets (Per-Client, Sensitive)

Generated by Us

Use ./scripts/generate-secrets.sh <client_name> to generate these:

Secret Description
DB_USERNAME RDS PostgreSQL username
DB_PASSWORD RDS PostgreSQL password
DJANGO_SECRET_KEY Django SECRET_KEY for cryptographic signing
APP_FERNET_KEY Fernet key for encrypting connector credentials

Provided by Client

Secret Description
OPENAI_API_KEY OpenAI API key for embeddings and LLM
GEMINI_API_KEY Google Gemini API key for document OCR
COHERE_API_KEY Cohere API key for search reranking

Set by Us (Observability)

Secret Description
SENTRY_DSN Sentry project DSN. Required for Sentry error/trace/log reporting. Leave unset to disable Sentry (the SDK becomes a no-op). See Sentry Setup for how to obtain the value.
SLACK_BOT_TOKEN (optional override) Per-tenant Slack bot token. Defaults to the repo-level SLACK_BOT_TOKEN secret (one bot for all tenants). Set here only when a client requires their own isolated bot identity. See Slack Setup.

Hardcoded Environment Variables (Not Configurable)

These are set directly in the ECS task definition (infrastructure/app/ecs.tf) and do not need GitHub Environment configuration:

Variable Value Purpose
IS_CLOUD_ENV True Gates cloud-only behavior: DB TLS (sslmode=require), HTTPS redirect, HSTS, Secure cookies, JSON logging. Always True in deployed environments, False in local dev.

Triggering a Deployment

Option 1: Push to deploy branch

git push origin main:deploy/howard

Option 2: Manual dispatch

Go to Actions > Deploy to AWS > Run workflow > Enter the client name.

Option 3: GitHub CLI

gh workflow run deploy-aws.yml -f client=howard