.env.example synced from master — single source of truth — The canonical .env.example lives at templates/.env.example in the master repo. Every other repo's .env.example is a verbatim copy generated by syncing from master. CI fails on drift. Supersedes the earlier 'each repo ships its own superset' rule — one source, many mirrors, never hand-edit a child .env.example.
GitHub Actions secrets live at chirag127 org level — never per-repo — Every GitHub Actions secret used by any chirag127/oriz* repo is set ONCE at the chirag127 org level with gh secret set --org chirag127 --visibility all. Per-repo secret writes are forbidden — they cause drift the same way per-repo .env.example edits do. Doppler stays the source of truth; org-level GH secrets are the runtime mirror.
— .env.enc (sops+age) at the umbrella root preserves all 134 comments + 65 keys + section structure of .env, making .env.example redundant for the umbrella. Do not create .env.example anywhere at the umbrella root. Individual submodules MAY have their own .env.example when they document a smaller scope-specific subset of env vars.
Env vars live at GitHub ORG level only — per-repo secrets FORBIDDEN — User mandate 2026-06-22 evening: 'Don't hit the GitHub API so many times. Requests have to be made only on the organization level, not to the individual repositories. The CI/CD pipelines will use the global environment variables only.' Per-repo secret writes are forbidden (cause 2,730+ API calls per sync; hit 5K/hr rate limit). Migration to GH Org chirag127 COMPLETED 2026-06-22 (76 repos transferred, 61 org secrets pushed). Repository destination: github.com/chirag127/.
Env files in submodules: .env gitignored, .env.enc committed, .env.example committed, single age key — Any submodule that consumes env vars MAY have all 3 env files in its root: (1) .env (gitignored, local working copy, the only place real secrets live in plaintext), (2) .env.enc (sops+age encrypted, COMMITTED to git so history + 6-host mirror cron back it up automatically), (3) .env.example (plaintext, COMMITTED, KEY=placeholder format, auto-generated from .env for shape documentation). All submodule .env.enc files encrypt with the SAME age key as the umbrella (bw get age-key) so recovery is one command from anywhere. Each submodule holds only the SUBSET of keys it consumes — not the full umbrella .env.