type: decision
status: active
timestamp: 2026-06-20
tags: [decisions, security, secrets, doppler, github, cloudflare, firebase]

Doppler is the source of truth for secrets; GitHub / Cloudflare / Firebase are runtime mirrors

Doppler single source for secrets. GH/CF/Firebase synced downstream

Doppler is the source of truth for secrets; GitHub / Cloudflare / Firebase are runtime mirrors

Decision

Doppler is the single source of truth for every secret used across the chirag127/oriz family. Every other place a secret can live — GitHub Secrets, Cloudflare Worker vars + secrets, Firebase functions config, and local .env files via doppler run — is a downstream mirror populated by Doppler’s sync integrations. Humans only ever write secrets at Doppler.

The user’s home-grown envpact vault stays around for personal / non-family secrets but is no longer the family-stack source of truth.

Why

User asked the agent to choose between GitHub Secrets, Doppler, and Infisical (1Password’s automation product was a fourth candidate). The agent picked Doppler for these concrete reasons:

Implications

Architecture

        Doppler (source of truth)
           +-- ? GitHub Secrets   (org / repo / env scope)
           +-- ? Cloudflare       (Worker vars + secrets)
           +-- ? Firebase config  (functions:config + Auth provider creds)
           +-- ? Local dev        (via `doppler run -- pnpm dev`)

Project layout in Doppler

Doppler projectEnvironmentsWhat lives there
oriz-firebasedev, prodMicrosoft OAuth client ID/secret, reCAPTCHA Enterprise key, Firebase service account JSON, Auth provider creds
oriz-workerdev, prodHOOKDECK_SIGNING_SECRET, Razorpay key + secret, Resend API key, Sentry DSN
oriz-omnipostprodPer-adapter platform tokens (OMNIPOST_DEVTO_TOKEN, OMNIPOST_HASHNODE_TOKEN, …), GH bot PAT for repo writeback
oriz-monitoringprodSentry DSN, Axiom token, Better Stack token, healthchecks.io ping URLs
oriz-clidevlocal-only CLI auth tokens

Operational

What we don’t do

Cross-refs


Edit on GitHub · Back to index