Skip to main content

Overview

The GitHub profile README project requires several environment variables and secrets to function properly. These are used for fetching GitHub contribution data and deploying to Cloudflare Workers.

Required Secrets

GH_SECRET

A GitHub Personal Access Token (PAT) used to fetch contribution data via the GitHub GraphQL API. Purpose: Authenticates requests to https://api.github.com/graphql to retrieve contribution statistics. How to obtain:
  1. Go to GitHub Settings > Developer settings > Personal access tokens > Tokens (classic)
  2. Click Generate new token > Generate new token (classic)
  3. Give it a descriptive name (e.g., “Profile README Stats”)
  4. Set an expiration date or choose “No expiration”
  5. Select the following scopes:
    • read:user - Read user profile data
    • repo - Full control of private repositories (if you want to include private contributions)
  6. Click Generate token
  7. Copy the token immediately (you won’t be able to see it again)
Usage in code (scripts/stats.ts:71): 
const response = await fetch("https://api.github.com/graphql", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "User-Agent": "aidrecabrera/readme",
    Authorization: `bearer ${process.env.GH_SECRET}`,
  },
  body: JSON.stringify(body),
});

CLOUDFLARE_API_TOKEN

Cloudflare API token with permissions to deploy Workers. Purpose: Authenticates GitHub Actions to deploy your worker to Cloudflare. How to obtain:
  1. Log in to your Cloudflare dashboard
  2. Go to My Profile > API Tokens
  3. Click Create Token
  4. Use the Edit Cloudflare Workers template or create a custom token with:
    • Permissions:
      • Account > Workers Scripts > Edit
      • Account > Account Settings > Read
  5. (Optional) Set Account Resources to include specific accounts
  6. (Optional) Set IP Address Filtering for added security
  7. Click Continue to summary > Create Token
  8. Copy the token immediately
Usage in workflow (.github/workflows/deploy.yaml:42): 
- name: deploy
  uses: cloudflare/[email protected]
  with:
    apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
    accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

CLOUDFLARE_ACCOUNT_ID

Your Cloudflare account identifier. Purpose: Specifies which Cloudflare account to deploy the worker to. How to obtain:
  1. Log in to your Cloudflare dashboard
  2. Select any domain or go to Workers & Pages
  3. Your Account ID is displayed on the right sidebar under Account ID
  4. Or find it in the URL: https://dash.cloudflare.com/<ACCOUNT_ID>/

Setting Up GitHub Secrets

Add these secrets to your GitHub repository:
  1. Go to your repository on GitHub
  2. Navigate to Settings > Secrets and variables > Actions
  3. Click New repository secret
  4. Add each secret:
    • Name: GH_SECRET, Value: Your GitHub Personal Access Token
    • Name: CLOUDFLARE_API_TOKEN, Value: Your Cloudflare API token
    • Name: CLOUDFLARE_ACCOUNT_ID, Value: Your Cloudflare account ID

Local Development

For local development, create a .env file in the project root: 
GH_SECRET=ghp_your_github_token_here
The .env file is loaded by the stats generation script: 
import dotenv from "dotenv";
dotenv.config();
Important: Never commit your .env file to version control. It should be in your .gitignore.

Environment Variable Usage

In Scripts

The scripts/stats.ts file uses GH_SECRET to fetch contribution data: 
const response = await fetch("https://api.github.com/graphql", {
  method: "POST",
  headers: {
    Authorization: `bearer ${process.env.GH_SECRET}`,
  },
});

In GitHub Actions

The workflow files use secrets for automated deployments: 
- name: fetch stats
  run: pnpm stats
  env:
    GH_SECRET: ${{ secrets.GH_SECRET }}

- name: deploy
  uses: cloudflare/[email protected]
  with:
    apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
    accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

Security Best Practices

Token Permissions

  • Use the minimum required scopes for GitHub tokens
  • Create Cloudflare tokens with specific permissions only
  • Set token expiration dates when possible

Token Rotation

  • Regularly rotate your API tokens
  • Update GitHub secrets after rotation
  • Monitor token usage in Cloudflare dashboard

Access Control

  • Limit who has access to repository secrets
  • Use separate tokens for development and production
  • Never log or expose tokens in code or workflows

Troubleshooting

”Failed to fetch contributions” Error

This usually means your GH_SECRET is invalid or expired:
  • Verify the token hasn’t expired
  • Check the token has the correct scopes (read:user and optionally repo)
  • Regenerate the token if necessary

Cloudflare Deployment Failures

If deployment fails with authentication errors:
  • Verify CLOUDFLARE_API_TOKEN is correct
  • Check the token has Workers Scripts edit permissions
  • Ensure CLOUDFLARE_ACCOUNT_ID matches your account

Local Development Issues

If pnpm stats fails locally:
  • Ensure your .env file exists in the project root
  • Verify GH_SECRET is set in the .env file
  • Check the .env file is not in .gitignore (it should be)

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us