All skills
Skillintermediate

Environment Variables Documentation

This document provides a comprehensive list of all environment variables used in the Claude GitHub Webhook project.

Claude Code Knowledge Pack7/10/2026

Overview

Environment Variables Documentation

This document provides a comprehensive list of all environment variables used in the Claude GitHub Webhook project.

Table of Contents

Core Application Configuration

VariableDescriptionDefaultRequired
NODE_ENVApplication environment (development/production/test)developmentNo
PORTServer port3002No
TRUST_PROXYTrust proxy headers for X-Forwarded-ForfalseNo

Bot Configuration

VariableDescriptionDefaultRequired
BOT_USERNAMEGitHub username the bot responds to (e.g., @ClaudeBot)-Yes
BOT_EMAILEmail used for git commits by the bot-Yes
DEFAULT_AUTHORIZED_USERDefault authorized GitHub username-No
AUTHORIZED_USERSComma-separated list of authorized GitHub usernames-No

GitHub Configuration

VariableDescriptionDefaultRequired
GITHUB_TOKENGitHub personal access token-Yes
GITHUB_WEBHOOK_SECRETSecret for validating GitHub webhook payloads-Yes
DEFAULT_GITHUB_OWNERDefault GitHub organization/owner-No
DEFAULT_GITHUB_USERDefault GitHub username-No
DEFAULT_BRANCHDefault git branchmainNo
TEST_REPO_FULL_NAMETest repository in owner/repo format-No

Claude/Anthropic Configuration

VariableDescriptionDefaultRequired
ANTHROPIC_API_KEYAnthropic API key for Claude access-Yes*
ANTHROPIC_MODELModel nameus.anthropic.claude-3-7-sonnet-20250219-v1:0No
CLAUDE_CODE_USE_BEDROCKWhether to use AWS Bedrock for Claude (0/1)0No
CLAUDE_HUB_DIRDirectory for Claude Hub config~/.claude-hubNo
CLAUDE_AUTH_HOST_DIRHost directory for Claude authentication-No

*Required unless using AWS Bedrock or setup container authentication

Container Configuration

VariableDescriptionDefaultRequired
CLAUDE_USE_CONTAINERSEnable container execution (0/1)1No
CLAUDE_CONTAINER_IMAGEDocker image for Claude containersclaudecode:latestNo
CLAUDE_CONTAINER_PRIVILEGEDRun containers in privileged modefalseNo
CLAUDE_CONTAINER_CAP_NET_RAWAdd NET_RAW capabilitytrueNo
CLAUDE_CONTAINER_CAP_SYS_TIMEAdd SYS_TIME capabilityfalseNo
CLAUDE_CONTAINER_CAP_DAC_OVERRIDEAdd DAC_OVERRIDE capabilitytrueNo
CLAUDE_CONTAINER_CAP_AUDIT_WRITEAdd AUDIT_WRITE capabilitytrueNo
CLAUDE_CONTAINER_CPU_SHARESCPU shares for containers1024No
CLAUDE_CONTAINER_MEMORY_LIMITMemory limit for containers2gNo
CLAUDE_CONTAINER_PIDS_LIMITProcess limit for containers256No
CONTAINER_LIFETIME_MSContainer execution timeout in milliseconds7200000 (2 hours)No
REPO_CACHE_DIRDirectory for repository cache/tmp/repo-cacheNo
REPO_CACHE_MAX_AGE_MSMax age for cached repos in milliseconds3600000 (1 hour)No

Claude Code Configuration

VariableDescriptionDefaultRequired
BASH_DEFAULT_TIMEOUT_MSDefault timeout for bash commands in Claude Code600000 (10 minutes)No
BASH_MAX_TIMEOUT_MSMaximum timeout Claude can set for bash commands1200000 (20 minutes)No

AWS Configuration

VariableDescriptionDefaultRequired
AWS_ACCESS_KEY_IDAWS access key ID-No*
AWS_SECRET_ACCESS_KEYAWS secret access key-No*
AWS_SESSION_TOKENAWS session token (for temporary credentials)-No
AWS_SECURITY_TOKENAlternative name for session token-No
AWS_REGIONAWS regionus-east-1No
AWS_PROFILEAWS profile name-No
USE_AWS_PROFILEUse AWS profile instead of direct credentialsfalseNo
AWS_CONTAINER_CREDENTIALS_RELATIVE_URIECS container credentials URI-No

*Required if using AWS Bedrock for Claude

PR Review Configuration

VariableDescriptionDefaultRequired
PR_REVIEW_WAIT_FOR_ALL_CHECKSWait for all checks before PR reviewtrueNo
PR_REVIEW_TRIGGER_WORKFLOWSpecific workflow name to trigger PR review-No
PR_REVIEW_DEBOUNCE_MSDelay before checking all check suites5000No
PR_REVIEW_MAX_WAIT_MSMax wait for in-progress checks1800000 (30 min)No
PR_REVIEW_CONDITIONAL_TIMEOUT_MSTimeout for conditional jobs300000 (5 min)No

Security & Secrets Configuration

VariableDescriptionDefaultRequired
GITHUB_TOKEN_FILEPath to file containing GitHub token/run/secrets/github_tokenNo
ANTHROPIC_API_KEY_FILEPath to file containing Anthropic API key/run/secrets/anthropic_api_keyNo
GITHUB_WEBHOOK_SECRET_FILEPath to file containing webhook secret/run/secrets/webhook_secretNo
DISABLE_LOG_REDACTIONDisable credential redaction in logsfalseNo

Rate Limiting Configuration

These values are currently hard-coded but could be made configurable:

ValueDescriptionCurrent ValueLocation
Rate limit windowAPI rate limit time window15 minutessrc/index.ts:32
Rate limit max requestsMax API requests per window100src/index.ts:41
Webhook rate limit windowWebhook rate limit time window5 minutessrc/index.ts:50
Webhook rate limit max requestsMax webhook requests per window50src/index.ts:51

Health Check Configuration

These values are defined in docker-compose.yml:

ValueDescriptionCurrent Value
Health check intervalTime between health checks30s
Health check timeoutTimeout for each health check10s
Health check retriesNumber of retries before unhealthy3
Health check start periodGrace period on startup10s

Development/Test Variables

VariableDescriptionDefaultRequired
API_URLAPI URL for testinghttp://localhost:3003No
WEBHOOK_URLWebhook URL for testing-No
CLAUDE_API_AUTH_REQUIREDRequire auth for Claude APIfalseNo
CLAUDE_API_AUTH_TOKENAuth token for Claude API-No
HOMEUser home directory-No
WORKSPACE_PATHGitHub Actions workspace path-No
GITHUB_WORKSPACEGitHub Actions workspace-No

Shell Script Variables

VariableDescriptionUsed In
ALLOWED_TOOLSTools allowed for Claude executionentrypoint scripts
OPERATION_TYPEType of operation (tagging, review, etc.)entrypoint scripts
PRODUCTION_BOTProduction bot usernamesetup scripts
STAGING_BOTStaging bot usernamesetup scripts
RUNNER_TOKENGitHub Actions runner tokenrunner scripts

Hard-coded Values That Could Be Configurable

The following values are currently hard-coded in the source code but could potentially be made configurable via environment variables:

Buffer Sizes

  • Docker execution buffer: 10MB (src/services/claudeService.ts:160)
  • Container logs buffer: 1MB (src/services/claudeService.ts:184,590)

External URLs

  • EC2 metadata endpoint: http://169.254.169.254/latest/meta-data/ (src/utils/awsCredentialProvider.ts:94)
  • GitHub API meta: https://api.github.com/meta (scripts/security/init-firewall.sh:32)

Allowed Domains (Firewall)

  • registry.npmjs.org
  • api.anthropic.com
  • sentry.io
  • statsig.anthropic.com
  • statsig.com

Default Values

  • Default git email in containers: claude@example.com (scripts/runtime/claudecode-entrypoint.sh:89)
  • Default git username in containers: ClaudeBot (scripts/runtime/claudecode-entrypoint.sh:90)
  • Health check container image: claude-code-runner:latest (src/index.ts:140)

Docker Base Images

  • Node base image: node:24 (Dockerfile.claudecode:1)
  • Delta version: 0.18.2 (Dockerfile.claudecode:87)
  • Zsh-in-docker version: v1.2.0 (Dockerfile.claudecode:91)

Notes

  1. Secret Files: The application supports loading secrets from files, which takes priority over environment variables. This is more secure for production deployments.

  2. AWS Authentication: The service supports multiple AWS authentication methods:

    • Direct credentials (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY)
    • AWS profiles (AWS_PROFILE with USE_AWS_PROFILE=true)
    • Instance profiles (EC2)
    • Task roles (ECS)
  3. Container Capabilities: The container capability flags allow fine-grained control over container permissions for security purposes.

  4. Staging Environment: Additional environment variables are defined in .env.staging for staging deployments, following the pattern VARIABLE_NAME_STAGING.