GitHub Secrets & Variables
Configure these in your GitHub repository: Settings > Secrets and variables > Actions.
Secrets
Secrets are encrypted and not visible after creation.
Required (Both Strategies)
| Secret | Description | Example |
|---|---|---|
SSH_HOST | SSH hostname | your-server.netsons.com |
SSH_USER | SSH username | your-cpanel-user |
SSH_PRIVATE_KEY | Full SSH private key content | -----BEGIN OPENSSH PRIVATE KEY-----... |
SSH_KNOWN_HOSTS | Known hosts entry for the server | Output of ssh-keyscan -p 65100 host |
Optional
| Secret | Description |
|---|---|
SSH_PORT | SSH port (default: 65100) |
SSH_KEY_PASSPHRASE | SSH key passphrase, if set |
FTP Strategy Only
| Secret | Description | Example |
|---|---|---|
FTP_HOST | FTP server hostname | your-server.netsons.com |
FTP_USER | FTP username | your-cpanel-user |
FTP_PASS | FTP password | your-cpanel-password |
FTP_PORT | FTP port | 21 |
Custom Env Variables
Any secret-backed env variables configured in netsons-deploy.json must also be added as secrets. For example:
| Secret | Description |
|---|---|
DB_DATABASE | Database name |
DB_USERNAME | Database username |
DB_PASSWORD | Database password |
Use php artisan netsons:env list to see all configured secrets.
Notifications (Optional)
| Secret | Description |
|---|---|
SLACK_WEBHOOK_DEBUG | Slack webhook URL for deploy notifications |
The secret name is configurable via netsons-deploy.json.
Variables
Variables are visible in plain text. Do not store sensitive data here.
Required (Both Strategies)
| Variable | Description | Example |
|---|---|---|
DEPLOY_PATH | Deploy path relative to home | public_html |
APP_ENV | Application environment | production |
APP_DEBUG | Debug mode | false |
APP_URL | Application URL | https://your-domain.com |
Git Strategy Only
| Variable | Description | Example |
|---|---|---|
GIT_REPO | Repository HTTPS URL | https://github.com/user/repo.git |
GIT_BRANCH | Branch to deploy | main |
Environment-Specific Configuration
Use GitHub Environments to have different values per environment:
- Go to Settings > Environments
- Create
stageandproductionenvironments - Add environment-specific variables/secrets to each
This allows the same workflow to deploy to different servers or paths depending on the selected environment.
Optional (Git Strategy — Private Repos)
| Secret | Description |
|---|---|
GIT_TOKEN | GitHub token for private repo access |
For public repos, GIT_TOKEN is not needed.
Private Repository Setup (Git Strategy)
Netsons shared hosting blocks outbound SSH, so the git strategy uses HTTPS for cloning. Private repos need a token for authentication.
Option A: GITHUB_TOKEN (recommended for same-repo deploys)
Edit your .github/workflows/deploy.yml and change the GIT_TOKEN line in the “Deploy via Git” step:
GIT_TOKEN: ${{ github.token }}github.token is automatically provided by GitHub Actions with read access to the repository. No secrets to create or rotate.
Option B: Personal Access Token (cross-repo or fine-grained control)
- Create a fine-grained PAT at github.com > Settings > Developer settings > Personal access tokens > Fine-grained tokens
- Grant read-only access to the repository contents
- Add it as a secret named
GIT_TOKENin your repo (Settings > Secrets) - The workflow already references
${{ secrets.GIT_TOKEN }}
Getting SSH Values
SSH_PRIVATE_KEY
cat ~/.ssh/id_ed25519Include everything from -----BEGIN to -----END.
SSH_KNOWN_HOSTS
ssh-keyscan -p 65100 your-server.netsons.comCopy the full output.