Skip to main content

Environment Variables

ForgePortal reads configuration from forgeportal.yaml and overrides values with environment variables. Two mechanisms apply: legacy named variables and the generic FORGEPORTAL_* convention. Env overrides are applied after loading the YAML file, so they take precedence.


Legacy variables (explicit mapping)​

These names are explicitly mapped to config paths. Values are coerced: "true" / "false" β†’ boolean; numeric strings β†’ number; otherwise string.

VariableConfig pathType / Default
DB_HOSTdb.hoststring (default: localhost)
DB_PORTdb.portnumber (default: 5432)
DB_NAMEdb.databasestring (default: forgeportal)
DB_USERdb.userstring (default: forge)
DB_PASSWORDdb.passwordstring (default: forge_local_dev)
PORTserver.portnumber (default: 4000)
LOG_LEVELserver.logLevelstring (default: info)
OIDC_ISSUERauth.oidc.issuerstring (URL)
OIDC_CLIENT_IDauth.oidc.clientIdstring
OIDC_CLIENT_SECRETauth.oidc.clientSecretstring (secret)
OIDC_REDIRECT_URIauth.oidc.redirectUristring (URL)
OIDC_SCOPESauth.oidc.scopesstring (default: openid email profile)
OIDC_GROUPS_CLAIMauth.oidc.groupsClaimstring
SESSION_SECRETauth.sessionSecretstring (min 16 chars)
ENCRYPTION_KEYencryptionKeystring (min 16 chars)
MIGRATIONS_DIRmigrations.dirstring (default: tools/migration)
RUN_SEEDmigrations.runSeedboolean (default: false)
SEED_FILEmigrations.seedFilestring (default: tools/seed/seed_v1.sql)

Example (production DB):

DB_HOST=postgres.internal
DB_PORT=5432
DB_NAME=forgeportal
DB_USER=forge
DB_PASSWORD=secret

Example (OIDC):

OIDC_ISSUER=https://keycloak.example.com/realms/forgeportal
OIDC_CLIENT_ID=forgeportal
OIDC_CLIENT_SECRET=xxx
OIDC_SCOPES=openid email profile groups
SESSION_SECRET=at-least-16-chars-secret

Generic override: FORGEPORTAL_*​

Any nested config key can be overridden with an env var of the form:

FORGEPORTAL_<Section>__<Key>__<SubKey>...
  • Prefix: FORGEPORTAL_
  • Segments: separated by double underscore __
  • Naming: each segment is converted from snake_case to camelCase (e.g. log_level β†’ logLevel), then used as the config key.

So you can set values that have no legacy name, such as SCM tokens, server host, or plugin-related keys.

Examples​

Env variableConfig pathDescription
FORGEPORTAL_SERVER__HOSTserver.hostBind address (e.g. 0.0.0.0)
FORGEPORTAL_SERVER__PORTserver.portListen port (same as PORT legacy)
FORGEPORTAL_SCM__GITHUB__TOKENscm.github.tokenGitHub PAT
FORGEPORTAL_SCM__GITHUB__APP_IDscm.github.appIdGitHub App ID
FORGEPORTAL_SCM__GITHUB__PRIVATE_KEY_PATHscm.github.privateKeyPathPath to App private key
FORGEPORTAL_SCM__GITHUB__WEBHOOK_SECRETscm.github.webhookSecretWebhook secret for GitHub
FORGEPORTAL_SCM__GITLAB__TOKENscm.gitlab.tokenGitLab token
FORGEPORTAL_SCM__GITLAB__BASE_URLscm.gitlab.baseUrlGitLab API base URL
FORGEPORTAL_SCM__GITLAB__WEBHOOK_SECRETscm.gitlab.webhookSecretWebhook secret for GitLab
FORGEPORTAL_DISCOVERY__INTERVAL_MINUTESdiscovery.intervalMinutesScan interval (number)
FORGEPORTAL_DOCS__MAX_INDEX_FILE_SIZE_BYTESdocs.maxIndexFileSizeBytesMax file size for indexing (number)
FORGEPORTAL_SCORECARDS__EVAL_INTERVAL_HOURSscorecards.evalIntervalHoursScorecard run interval (number)

Coercion is the same: "true"/"false" β†’ boolean, numeric string β†’ number, else string.


Plugin secrets: FORGEPORTAL_PLUGIN_<ID>_<KEY>​

Plugins can read secrets from environment variables so they are never stored in YAML. The convention is:

FORGEPORTAL_PLUGIN_<PLUGIN_ID>_<KEY>
  • PLUGIN_ID: plugin identifier (e.g. PAGERDUTY, SLACK_NOTIFY), usually uppercase and derived from the package name.
  • KEY: secret key name in uppercase (e.g. APITOKEN, WEBHOOK_URL).

These are typically injected into the plugin’s config at runtime (key normalized to camelCase). Non-secret config stays in forgeportal.yaml under plugins.<id>.config.

Examples:

Env variableTypical use
FORGEPORTAL_PLUGIN_PAGERDUTY_APITOKENPagerDuty API token for plugin pagerduty
FORGEPORTAL_PLUGIN_SLACK_NOTIFY_WEBHOOK_URLSlack webhook URL for plugin slack-notify

Precedence and summary​

  1. Default values from the schema (see forgeportal.yaml).
  2. forgeportal.yaml (file config).
  3. Legacy env vars (e.g. DB_PASSWORD, OIDC_CLIENT_SECRET).
  4. FORGEPORTAL_* and FORGEPORTAL_PLUGIN_* env vars.

So: file first, then env overrides. Use legacy names where they exist; for everything else (SCM tokens, server host, plugins, discovery, docs, scorecards) use the FORGEPORTAL_ or FORGEPORTAL_PLUGIN_ convention. Never commit secrets in YAMLβ€”set them via the environment or a secrets manager that injects env vars.