tripplan.ing

Appearance

Secrets and Env

At a glance

  • Control-plane and docs cloud deploys are CI-managed.
  • GitHub Environments are the source of truth for deployment vars and secrets.
  • Copy-ready examples live in:
  • .github/environments/development.env.example
  • .github/environments/production.env.example

Do this

  1. Create GitHub Environments:
  • development
  • production
  1. Populate each environment using the matching example file.

Development example (development):

bash
CF_ACCOUNT_ID=TODO_CF_ACCOUNT_ID
CP_WORKER_NAME=tripplan-control-plane-development
CP_PLATFORM_ACCOUNT_ID=TODO_CF_ACCOUNT_ID
CP_PLATFORM_DOMAIN_SUFFIX=dev.tripplan.ing
CP_PLATFORM_ZONE_ID=TODO_CF_ZONE_ID
CP_PLATFORM_OPERATOR_EMAILS=operator@tripplan.ing
CP_PLATFORM_PROVIDER_MODE=cloudflare
CP_GITHUB_OWNER=TODO_GITHUB_OWNER
CP_GITHUB_REPO=tripplan-ing
CP_GITHUB_EVENT_DEPLOY_WORKFLOW=event-deploy-from-manifest.yml
CP_GITHUB_DEPLOY_REF=main
CP_MAILGUN_DOMAIN=TODO_MAILGUN_DOMAIN
CP_D1_DATABASE_ID=TODO_CP_D1_DATABASE_ID
CP_D1_DATABASE_NAME=tripplan-platform-db-development
CP_KV_NAMESPACE_ID=TODO_CP_KV_NAMESPACE_ID
CP_ROUTE_PLATFORM=dev.tripplan.ing/platform*
CP_ROUTE_AUTH=dev.tripplan.ing/auth*
CP_ROUTE_API_AUTH=dev.tripplan.ing/api/auth*
CP_ROUTE_API_PLATFORM=dev.tripplan.ing/api/platform*
CP_ROUTE_APP_ASSETS=dev.tripplan.ing/_app*
DOCS_WORKER_NAME=tripplan-development
DOCS_ROUTE_ROOT=dev.tripplan.ing/*
CF_DEPLOY_API_TOKEN=TODO_CF_DEPLOY_API_TOKEN
CP_SECRET_PLATFORM_ORCHESTRATOR_TOKEN=TODO_CP_SECRET_PLATFORM_ORCHESTRATOR_TOKEN
CP_SECRET_CLOUDFLARE_API_TOKEN=TODO_CP_SECRET_CLOUDFLARE_API_TOKEN
CP_SECRET_GITHUB_TOKEN=TODO_CP_SECRET_GITHUB_TOKEN
CP_SECRET_MAILGUN_API_KEY=TODO_CP_SECRET_MAILGUN_API_KEY

Production example (production):

bash
CF_ACCOUNT_ID=TODO_CF_ACCOUNT_ID
CP_WORKER_NAME=tripplan-control-plane
CP_PLATFORM_ACCOUNT_ID=TODO_CF_ACCOUNT_ID
CP_PLATFORM_DOMAIN_SUFFIX=tripplan.ing
CP_PLATFORM_ZONE_ID=TODO_CF_ZONE_ID
CP_PLATFORM_OPERATOR_EMAILS=operator@tripplan.ing
CP_PLATFORM_PROVIDER_MODE=cloudflare
CP_GITHUB_OWNER=TODO_GITHUB_OWNER
CP_GITHUB_REPO=tripplan-ing
CP_GITHUB_EVENT_DEPLOY_WORKFLOW=event-deploy-from-manifest.yml
CP_GITHUB_DEPLOY_REF=main
CP_MAILGUN_DOMAIN=TODO_MAILGUN_DOMAIN
CP_D1_DATABASE_ID=TODO_CP_D1_DATABASE_ID
CP_D1_DATABASE_NAME=tripplan-platform-db
CP_KV_NAMESPACE_ID=TODO_CP_KV_NAMESPACE_ID
CP_ROUTE_PLATFORM=tripplan.ing/platform*
CP_ROUTE_AUTH=tripplan.ing/auth*
CP_ROUTE_API_AUTH=tripplan.ing/api/auth*
CP_ROUTE_API_PLATFORM=tripplan.ing/api/platform*
DOCS_WORKER_NAME=tripplan
DOCS_ROUTE_ROOT=tripplan.ing/*
CF_DEPLOY_API_TOKEN=TODO_CF_DEPLOY_API_TOKEN
CP_SECRET_PLATFORM_ORCHESTRATOR_TOKEN=TODO_CP_SECRET_PLATFORM_ORCHESTRATOR_TOKEN
CP_SECRET_CLOUDFLARE_API_TOKEN=TODO_CP_SECRET_CLOUDFLARE_API_TOKEN
CP_SECRET_GITHUB_TOKEN=TODO_CP_SECRET_GITHUB_TOKEN
CP_SECRET_MAILGUN_API_KEY=TODO_CP_SECRET_MAILGUN_API_KEY
  1. Push to main (or run workflow dispatch) for:
  • .github/workflows/control-plane-deploy.yml
  • .github/workflows/docs-deploy.yml

Runtime secret mapping

Control-plane CI pushes these worker secrets:

  • PLATFORM_ORCHESTRATOR_TOKEN <= CP_SECRET_PLATFORM_ORCHESTRATOR_TOKEN
  • CLOUDFLARE_API_TOKEN <= CP_SECRET_CLOUDFLARE_API_TOKEN
  • GITHUB_TOKEN <= CP_SECRET_GITHUB_TOKEN
  • MAILGUN_API_KEY <= CP_SECRET_MAILGUN_API_KEY

When it fails

  • Workflow dispatch unauthorized: verify CP_SECRET_GITHUB_TOKEN permissions.
  • Cloudflare API failures: verify CF_DEPLOY_API_TOKEN and CP_SECRET_CLOUDFLARE_API_TOKEN scopes.
  • Route conflicts: verify docs root route and control-plane path routes are split correctly.
  • See Troubleshooting.

Released under the MIT License.

Copyright 2026 tripplan.ing contributors