Skill: env-secrets-governance
Purpose
Standardize environment variable handling and prevent secret leaks across all related repos.
Rules
- •Local development uses
.envonly (gitignored). - •Repository template uses
.env.exampleonly (key names, no values). - •SIT/Prod uses Secret Manager or platform environment variables.
- •Never commit real tokens/passwords/private keys to Git.
When changing env vars
- •Add/remove key names in
.env.example. - •Update
docs/operations-governance/release-checklist.mdenv checks if process changes. - •Mention env impact in PR Scope/Risk/Rollback.
Review checklist
- •No sensitive values in staged changes.
- •
.gitignorestill protects.envand.env.*. - •New keys are documented and validated in release checks.