GitHub Environment Variables Reference¶
Each CampusCore client requires a GitHub Environment with the following secrets and variables. The environment name must match the client identifier used in deployment (e.g., vsu_pilot, howard).
Repo-Level Configuration (Set Once)¶
These are shared across all client environments.
| Type | Name | Description |
|---|---|---|
| Secret | ADMIN_AWS_ROLE_ARN |
Our admin account's IAM role ARN (for Terraform state access) |
| Secret | SLACK_BOT_TOKEN |
Bot User OAuth Token (xoxb-...) for the CampusCore Slack app. Used by every tenant's deploy unless overridden at the env level. See Slack Setup. Leave unset to disable Slack workflow notifications across all envs. |
| Variable | CAMPUSCORE_HOSTED_ZONE_ID |
Route53 hosted zone ID for campuscoreai.com (Z03938461UVED2L50LENJ) |
Environment Variables (Per-Client, Non-Sensitive)¶
| Variable | Example | Description |
|---|---|---|
AWS_ROLE_ARN |
arn:aws:iam::123456789012:role/CampusCore-Deploy-Role |
Client's deploy role ARN (created by client via CloudFormation) |
AWS_REGION |
us-east-1 |
AWS region for deployment (defaults to us-east-1 if omitted) |
TF_STATE_BUCKET |
campuscore-tfstate-howard |
S3 bucket for this client's Terraform state |
CUSTOM_DOMAIN_WITH_PROTOCOL |
https://ai.howard.edu |
Full URL including protocol. Auto-computed when ENABLE_CUSTOM_DOMAIN_WITH_SSL is true |
ENABLE_CUSTOM_DOMAIN_WITH_SSL |
true |
Set to true to provision {env}.campuscoreai.com subdomain + ACM certificate + HTTPS. Defaults to false |
SSO Configuration¶
SSO providers (SAML, OIDC) are configured via the Django admin panel after deployment — no GitHub Environment variables needed. See Post-Deployment Step 4b.
Observability (Sentry)¶
All optional except SENTRY_DSN. Workflow defaults apply when a variable is unset. See Sentry Setup for the full operator playbook (creating the Sentry project, picking shared vs per-tenant, Slack/GitHub integration, troubleshooting).
| Variable | Example | Description |
|---|---|---|
SENTRY_ENVIRONMENT |
vsu-troy-pilot |
Sentry environment tag for filtering. Defaults to the GitHub Environment name via Terraform fallback if unset. |
SENTRY_TRACES_SAMPLE_RATE |
0.2 |
Fraction of transactions sampled for performance tracing. Workflow default: 0.2. |
SENTRY_ENABLE_LOGS |
true |
Whether to ship logs to Sentry's Logs product. Workflow default: true. Set to false to send only errors + traces. |
SENTRY_PROFILES_SAMPLE_RATE |
0.0 |
CPU profiling sample rate. Workflow default: 0.0 (disabled). |
RELEASE_SHA is auto-set from ${{ github.sha }} by the deploy workflow — no manual config required.
Notifications (Slack workflow_runs)¶
All optional. Setting them lights up start/complete/fail messages from the index health check, HNSW rebuild, and scrape pipelines. See Slack Setup for the operator playbook (creating the app, channel, inviting the bot, troubleshooting).
| Variable | Example | Description |
|---|---|---|
SLACK_CHANNEL_WORKFLOW_RUNS |
C0B4C4Q57HP |
Channel ID, not name. The Slack channel the bot posts to for this tenant. ⚠ Must be set as a variable, not a secret — the workflow reads ${{ vars.SLACK_CHANNEL_WORKFLOW_RUNS }}. Leaving empty disables Slack posts for this tenant only. |
Index Maintenance Scheduling¶
All optional. The defaults keep the EventBridge schedule off (manual checks/rebuilds via the dashboard only). Opt in per environment once the metrics are calibrated. See Vector Index Observability.
| Variable | Example | Description |
|---|---|---|
ENABLE_INDEX_MAINTENANCE_SCHEDULE |
true |
When true, Terraform creates the daily EventBridge schedule that runs auto_rebuild_if_justified. Workflow default: false. |
INDEX_MAINTENANCE_SCHEDULE_CRON |
cron(0 6 * * ? *) |
EventBridge cron expression for the schedule. Workflow default: cron(0 6 * * ? *) (06:00 UTC daily). |
Environment Secrets (Per-Client, Sensitive)¶
Generated by Us¶
Use ./scripts/generate-secrets.sh <client_name> to generate these:
| Secret | Description |
|---|---|
DB_USERNAME |
RDS PostgreSQL username |
DB_PASSWORD |
RDS PostgreSQL password |
DJANGO_SECRET_KEY |
Django SECRET_KEY for cryptographic signing |
APP_FERNET_KEY |
Fernet key for encrypting connector credentials |
Provided by Client¶
| Secret | Description |
|---|---|
OPENAI_API_KEY |
OpenAI API key for embeddings and LLM |
GEMINI_API_KEY |
Google Gemini API key for document OCR |
COHERE_API_KEY |
Cohere API key for search reranking |
Set by Us (Observability)¶
| Secret | Description |
|---|---|
SENTRY_DSN |
Sentry project DSN. Required for Sentry error/trace/log reporting. Leave unset to disable Sentry (the SDK becomes a no-op). See Sentry Setup for how to obtain the value. |
SLACK_BOT_TOKEN (optional override) |
Per-tenant Slack bot token. Defaults to the repo-level SLACK_BOT_TOKEN secret (one bot for all tenants). Set here only when a client requires their own isolated bot identity. See Slack Setup. |
Hardcoded Environment Variables (Not Configurable)¶
These are set directly in the ECS task definition (infrastructure/app/ecs.tf) and do not need GitHub Environment configuration:
| Variable | Value | Purpose |
|---|---|---|
IS_CLOUD_ENV |
True |
Gates cloud-only behavior: DB TLS (sslmode=require), HTTPS redirect, HSTS, Secure cookies, JSON logging. Always True in deployed environments, False in local dev. |
Triggering a Deployment¶
Option 1: Push to deploy branch¶
Option 2: Manual dispatch¶
Go to Actions > Deploy to AWS > Run workflow > Enter the client name.