Securely storing secrets in CI/CD and environment variables

API keys do not belong in your Git repository

One key security lesson: treat secrets as secrets. The Leafy Energy demo uses examples to explain how to store API keys and tokens safely.

Do

• Store secrets in your CI/CD platform's secret vault (for example as environment variables).
• Use a local .env file for development that is never committed.
• Restrict access to secrets to only those pipelines that actually need them.

Do not

• Hardcode secrets in source code.
• Share screenshots of config pages showing full keys.
• Reuse keys across multiple environments.

In the demo you might show a screenshot of a Leafy Energy API key stored as a masked secret in a CI pipeline.