Use environment secrets and variables for security

[5ouma]

⚠️ Issue

close #

✏️ Description

Restrict the token usage for each environment.

• I agree to follow the Code of Conduct.

[coderabbitai]

Warning

Rate limit exceeded

@5ouma has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 6 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9741ca5c-f25f-4544-ad34-5bcb5a21ff7a

📥 Commits

Reviewing files that changed from the base of the PR and between 19f1605 and a52c1e8.

📒 Files selected for processing (3)

• .github/workflows/ci-checker.yml
• .github/workflows/ci.yml
• .github/workflows/release.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci-ci-environment-secrets

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates GitHub Actions workflows to use GitHub Environments and (partially) move sensitive configuration from repository secrets to environment-scoped variables/secrets, aiming to restrict token usage per environment.

Changes:

• Add job-level environment assignments to Release, CI test, and CI-Checker merge jobs.
• Switch Release workflow GitHub App app-id from secrets to vars to support environment/repo variables.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/release.yml	Adds environment: Release and moves APP_ID to vars for the GitHub App token step.
.github/workflows/ci.yml	Assigns the test job to the CI environment.
.github/workflows/ci-checker.yml	Assigns the Renovate auto-merge job to the CI-Checker environment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (7870e73) to head (a52c1e8).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #389   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            6         6           
  Lines          115       115           
  Branches         9         9           
=========================================
  Hits           115       115           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.