Staging and CI setup
Set up a non-production Restormel target and wire it into your app’s CI. For each secret you get: where to get it, what to call it, where to save it, and how to rotate or replace it.
Order of operations: (1) Get secrets from Restormel (Copy for CI) → (2) Add them to GitHub (or GCP) → (3) Use them in your repo (workflow env + npx @restormel/validate). Do not point CI at production unless you explicitly accept that risk.
0. Get the secrets from Restormel
Before adding anything to GitHub, collect the three required values from the Dashboard.
- Open the Dashboard — /keys/dashboard. Sign in with GitHub if prompted.
- Go to Copy for CI — In the left sidebar, click Copy for CI (or open /keys/dashboard/copy-for-ci).
- If you get a 404 or don't see "Copy for CI" in the sidebar, the dashboard may not have that page yet. Use Projects → click your staging project name → on the project page, scroll to the Copy for CI (GitHub Secrets) section.
- Choose your staging project — On the Copy for CI page, click your staging project name. You'll land on that project's page with the Copy for CI section in view.
- Copy the three required values: Project ID (Copy button), Environment ID (Copy button), and Gateway Key (click Create key in Access, then copy the key when shown—you only see it once). Store the key somewhere temporary until you add it to GitHub.
- Optional later: note the route ID for smoke tests; from Routes/Policies pick a blocked model + provider for policy tests (see section 2).
Add these as GitHub (or GCP) secrets in section 2 and wire them into your workflow in sections 3–6.
| Goal | In Restormel | In your repo (e.g. GitHub) |
|---|---|---|
| Minimum (PR doctor + validate) | Project + env + Gateway Key | RESTORMEL_GATEWAY_KEY_STAGING, RESTORMEL_PROJECT_ID_STAGING, RESTORMEL_ENVIRONMENT_ID_STAGING |
| + Smoke tests | Route ID | RESTORMEL_SMOKE_ROUTE_ID_STAGING |
| + Blocked-model test | Model/provider policies reject | RESTORMEL_SMOKE_BLOCKED_MODEL_ID_STAGING, RESTORMEL_SMOKE_BLOCKED_PROVIDER_TYPE_STAGING |
1. What to create in Restormel
Create these in the Dashboard before storing secrets.
- Non-production project or environment — Prefer a dedicated staging project; or add a
stagingenvironment to your existing project. - Route for smoke tests (if you will run smoke) — Note the route ID (e.g.
interactive) from Project → Routes. - Optional blocked-model pair — A model + provider your staging policies reject (e.g. a model not on the allowlist).
2. Each secret: where to get it, what to call it, where to save it, rotate/replace
Store secrets in your app repo: Settings → Secrets and variables → Actions → New repository secret. In workflows, map them to env vars (e.g. RESTORMEL_GATEWAY_KEY: ${{ secrets.RESTORMEL_GATEWAY_KEY_STAGING }}). GCP Secret Manager: same names, inject in the workflow as you do for app secrets.
Gateway Key (required)
| Where to get it | Dashboard → staging project → API Keys → Generate key. Copy the rk_... value (shown once). |
|---|---|
| What to call it | RESTORMEL_GATEWAY_KEY_STAGING. Workflow passes as RESTORMEL_GATEWAY_KEY. |
| Where to save it | GitHub: New repository secret, name RESTORMEL_GATEWAY_KEY_STAGING, value = the key. Or GCP Secret Manager. |
| Rotate or replace | Dashboard → same project → API Keys → revoke old, generate new. Update the secret value in GitHub/GCP. No code change. |
Project ID (required)
| Where to get it | Dashboard → staging project → project settings or URL. Copy the project UUID. |
|---|---|
| What to call it | RESTORMEL_PROJECT_ID_STAGING. Workflow passes as RESTORMEL_PROJECT_ID. |
| Where to save it | New repository secret RESTORMEL_PROJECT_ID_STAGING, value = project UUID. Or GCP. |
| Rotate or replace | Project IDs don’t rotate. If you replace the staging project, update the secret with the new project’s UUID. No code change. |
Environment ID (required)
| Where to get it | Dashboard → same project → Environments. Copy the staging environment’s ID (slug or UUID, e.g. staging). |
|---|---|
| What to call it | RESTORMEL_ENVIRONMENT_ID_STAGING. Workflow passes as RESTORMEL_ENVIRONMENT_ID. |
| Where to save it | New repository secret RESTORMEL_ENVIRONMENT_ID_STAGING. Or GCP. |
| Rotate or replace | If you replace the staging environment, update the secret with the new environment ID. No code change. |
Smoke route ID (optional)
| Where to get it | Dashboard → same project → Routes → open the route (e.g. interactive). Copy the route ID (often the slug). |
|---|---|
| What to call it | RESTORMEL_SMOKE_ROUTE_ID_STAGING or RESTORMEL_ANALYSE_ROUTE_ID_STAGING. Workflow passes as RESTORMEL_SMOKE_ROUTE_ID. |
| Where to save it | New repository secret with that name. Or GCP. |
| Rotate or replace | If you rename or use a different route, update the secret with the new route ID. No code change if script reads env. |
Blocked model ID (optional)
| Where to get it | Pick a model ID your staging policies block (e.g. gpt-3.5-turbo). Confirm via evaluate or Dashboard. |
|---|---|
| What to call it | RESTORMEL_SMOKE_BLOCKED_MODEL_ID_STAGING. Workflow passes as RESTORMEL_SMOKE_BLOCKED_MODEL_ID. |
| Where to save it | New repository secret, value e.g. gpt-3.5-turbo. Or GCP. |
| Rotate or replace | If policies change and this model becomes allowed, pick another blocked model and update the secret. No code change. |
Blocked provider type (optional)
| Where to get it | The provider type for the blocked model (e.g. openai, anthropic). |
|---|---|
| What to call it | RESTORMEL_SMOKE_BLOCKED_PROVIDER_TYPE_STAGING. Workflow passes as RESTORMEL_SMOKE_BLOCKED_PROVIDER_TYPE. |
| Where to save it | New repository secret, value e.g. openai. Or GCP. |
| Rotate or replace | Update if you change the blocked model to one from a different provider. No code change. |
Keys base URL (optional; usually omit)
| Where to get it | Default is https://restormel.dev. Only set if you use a different API host. |
|---|---|
| What to call it | RESTORMEL_KEYS_BASE_STAGING. Workflow passes as RESTORMEL_KEYS_BASE. |
| Where to save it | GitHub or GCP. Omit if using default. |
| Rotate or replace | Only if the API host changes. Update the secret. No code change. |
3. Configure scheduled CI (nightly)
In your nightly workflow (e.g. nightly-gate-audit.yml), add env from staging secrets and run:
env:
RESTORMEL_GATEWAY_KEY: ${{ secrets.RESTORMEL_GATEWAY_KEY_STAGING }}
RESTORMEL_PROJECT_ID: ${{ secrets.RESTORMEL_PROJECT_ID_STAGING }}
RESTORMEL_ENVIRONMENT_ID: ${{ secrets.RESTORMEL_ENVIRONMENT_ID_STAGING }}
# then:
run: npx @restormel/validate
# optionally: pnpm run smoke:restormelAdd smoke:restormel to nightly only if staging is stable and you're comfortable with nightly traffic hitting it.
4. Configure post-deploy
Safer at first: After deploy, an operator runs pnpm run smoke:restormel manually and checks the dashboard.
Automated: Add a post–health-check step in deploy; inject staging secrets; run pnpm run smoke:restormel. Don’t make it deploy-blocking until the path and staging project are reliably healthy.
5. Recommended minimum setup (phased)
- Phase A — Secrets:
RESTORMEL_GATEWAY_KEY_STAGING,RESTORMEL_PROJECT_ID_STAGING,RESTORMEL_ENVIRONMENT_ID_STAGING. Enough for PR doctor andnpx @restormel/validate. - Phase B — Add
RESTORMEL_SMOKE_ROUTE_ID_STAGING. Enough for post-deploy or nightlypnpm run smoke:restormel. - Phase C — Add
RESTORMEL_SMOKE_BLOCKED_MODEL_ID_STAGINGandRESTORMEL_SMOKE_BLOCKED_PROVIDER_TYPE_STAGINGafter staging policies are stable.
6. Workflow file changes (optional)
Nightly: add staging env and npx @restormel/validate (and optionally pnpm run smoke:restormel) to nightly-gate-audit.yml or equivalent. Post-deploy: add an optional step to deploy.yml that injects secrets and runs pnpm run smoke:restormel; don’t gate deploys on it until you’re confident.
See Verification strategy for CLI and smoke details; Phase 6 — Go live for the smoke script.