Configuring Secrets

After initializing a repo with the CLI, you need to configure secrets so the workflows can authenticate with external services.

Repository-level secrets

Set these in Settings > Secrets and variables > Actions > Repository secrets:

Secret	Required for	Purpose
SOURCEGRAPH_TOKEN	All presets	Code search via Sourcegraph MCP
ROLLBAR_TOKEN	All presets	Error tracking via Rollbar MCP
POSTHOG_TOKEN	web preset only	Analytics via PostHog MCP

Organization-level variables

These are typically set at the GitHub organization level and available to all repos:

Variable	Purpose
BUCKY_APP_ID	GitHub App ID for cross-repo access
BUCKY_APP_PRIVATE_KEY	GitHub App private key
OIDC_IAM_ROLE	AWS IAM role ARN for Bedrock authentication
ARTIFACTORY_NPM_PROD_TOKEN	NPM registry token (web preset)
ARTIFACTORY_GOPROXY	Go proxy URL (golang preset)
ARTIFACTORY_PROD_REPO	NPM registry URL (web preset)
BUF_ACCESS_TOKEN_SECRET_ARN	Buf token ARN for protobuf (web preset)

Tip

Repository-level secrets override organization-level ones with the same name. You only need to set SOURCEGRAPH_TOKEN, ROLLBAR_TOKEN, and optionally POSTHOG_TOKEN at the repo level — everything else is inherited from the org.

How secrets flow

1. Your caller workflow uses secrets: inherit to pass all repository and org secrets to the reusable workflow
2. The reusable workflow resolves the preset via resolve-preset and determines which secrets to inject
3. Secrets are passed as env: variables on the claude-code-action step, making them available to MCP servers inside plugins