All secrets must be stored in GitHub repository settings under Settings > Secrets and variables > Actions. Never commit secrets to the repository.

• Secrets are masked in logs by GitHub Actions
• Debug mode ([DEBUG_DEPLOYMENT_INFORMATION]) does not expose secret values
• SFTP credentials are passed directly to action inputs, never echoed

• GITHUB_TOKEN permissions are scoped per-workflow
• SFTP credentials should use a dedicated deployment user with write access limited to DEPLOY_BASE_PATH

Environment variables prefixed with NEXT_PUBLIC_ are embedded in the client bundle and publicly visible. Treat these as non-sensitive configuration only.

1. Rotate credentials — Update SFTP passwords periodically
2. Use deploy keys — Prefer SSH keys over passwords when possible
3. Limit server access — Restrict SFTP user to deployment directory only
4. Audit access — Review repository collaborators with secrets access
5. Environment separation — Use different credentials for staging vs production

Report security vulnerabilities privately via GitHub's security advisory feature:

1. Navigate to Security > Advisories
2. Click New draft security advisory
3. Provide details and reproduction steps

Do not open public issues for security vulnerabilities.

• Connections use SSH (port 22) with password or key authentication
• Existing deployments are backed up before overwrite
• Deployment verification checks for expected files post-deploy

• Tags are signed with GitHub's verified badge when using GITHUB_TOKEN
• Release assets are immutable once published

• Secrets stored in repository settings, not in code
• SFTP user has minimal required permissions
• NEXT_PUBLIC_* variables contain no sensitive data
• Repository access limited to trusted collaborators
• Branch protection enabled for main