Secret Rotation Schedule
Active Secrets
| Secret | Location | Last Rotated | Rotation Policy | Next Due |
|---|---|---|---|---|
| GITHUB_TOKEN | Auto-generated | N/A | Automatic per workflow run | N/A |
| Cloudflare API Token | Cloudflare Pages integration | 2026-04-01 | Every 90 days | 2026-07-01 |
| Cloudflare Analytics Token | Web Analytics beacon | 2026-04-01 | Static (client-side, non-secret) | N/A |
Rotation Process
- Generate a new token/key in the relevant service
- Update the GitHub Actions secret or Cloudflare Pages environment variable
- Verify all workflows pass with the new token
- Revoke the old token
- Update the "Last Rotated" date in this document
- Commit the updated document
Automated Reminders
The stale-content-issues.yml workflow monitors this document's last_reviewed date. If the document is not updated within 90 days, a stale content issue is created as a reminder to review rotation status.
Canary Tokens
Canary tokens are documented separately in Canary Tokens. They do not require rotation but should be verified quarterly to ensure alert endpoints are still active.
Emergency Rotation
If a secret is suspected compromised:
- Immediately revoke the old token in the relevant service
- Generate a new token
- Update the GitHub Actions secret
- Verify all workflows pass
- Review audit logs for unauthorized usage
- Update this document
- Follow the Incident Response Runbook if applicable