Signet

Configuration via Environment Variables

Signet is configured exclusively through environment variables and follows two core principles: The Override Hierarchy and the "WHERE vs. WHAT" model for secrets.

Principle 1: The Override Hierarchy

  1. Tool-Specific (SIGNET_*): An environment variable is the most specific and will always be used if present.
  2. Universal (3SC_*): If a SIGNET_* variable is not found, the tool looks for a corresponding 3SC_* variable.
  3. Hard-coded Default: If neither is set, the tool falls back to a safe, built-in default.

Principle 2: "WHERE vs. WHAT" for Secrets Management

  • The "WHERE" (The Connection): These variables tell the tool where your secrets vault is and how to authenticate (e.g., 3SC_VAULT_TYPE, SIGNET_GIT_VAULT_TYPE).
  • The "WHAT" (The Secret Name): These variables tell the tool what specific secret to retrieve (e.g., SIGNET_GIT_PAT_SECRET_NAME).

The Golden Rule: If you define a "WHERE" for a task, the tool will require you to provide the corresponding "WHAT".

Core Configuration

Variable (SIGNET_*) Fallback (3SC_*) Required? Default Purpose
SIGNET_APP_NAME No "Application" The name of the application being released. Used for documentation headers.
SIGNET_WORK_ITEM_STYLE No "list" The visual style for work items on the main page (list or categorized).
SIGNET_LICENSE_SERVER_URL 3SC_LICENSE_SERVER_URL Yes The full URL of the 3SC License Server.
SIGNET_LICENSE_TIMEOUT_SECONDS 3SC_LICENSE_TIMEOUT_SECONDS No 300 Timeout in seconds for license server requests.
SIGNET_LICENSE_RETRY_INTERVAL_SECONDS 3SC_LICENSE_RETRY_INTERVAL_SECONDS No 30 Time in seconds to wait between license retry attempts.
SIGNET_LOG_LEVEL 3SC_LOG_LEVEL No "Information" The logging level for the tool.

Git Source Configuration

Variable (SIGNET_GIT_*) Fallback (3SC_*) Purpose
SIGNET_GIT_REPO_URL 3SC_GIT_REPO_URL The full HTTPS URL of the Git repository.
SIGNET_GIT_BRANCH 3SC_GIT_BRANCH The specific branch to analyze.
SIGNET_GIT_PAT 3SC_GIT_PAT A PAT for the repository, if private. (Not Recommended)
SIGNET_GIT_PAT_SECRET_NAME The "WHAT": The name of the secret in a vault for the Git PAT.
SIGNET_GIT_VAULT_TYPE 3SC_VAULT_TYPE The scoped "WHERE": Overrides the Vault provider for Git source operations only.
SIGNET_GIT_VAULT_URL 3SC_VAULT_URL The scoped "WHERE": The endpoint for the vault used for the Git PAT.
SIGNET_GIT_AZURE_CLIENT_ID 3SC_AZURE_CLIENT_ID The scoped "WHERE": Azure SP Client ID for the Git PAT vault.
SIGNET_GIT_AZURE_CLIENT_SECRET 3SC_AZURE_CLIENT_SECRET The scoped "WHERE": Azure SP Client Secret for the Git PAT vault.
SIGNET_GIT_AZURE_TENANT_ID 3SC_AZURE_TENANT_ID The scoped "WHERE": Azure Tenant ID for the Git PAT vault.
SIGNET_GIT_AWS_ACCESS_KEY_ID 3SC_AWS_ACCESS_KEY_ID The scoped "WHERE": AWS Access Key ID for the Git PAT vault.
SIGNET_GIT_AWS_SECRET_ACCESS_KEY 3SC_AWS_SECRET_ACCESS_KEY The scoped "WHERE": AWS Secret Access Key for the Git PAT vault.
SIGNET_GIT_GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS The scoped "WHERE": Path to the GCP service account key file for the Git PAT vault.
SIGNET_GIT_VAULT_TOKEN 3SC_VAULT_TOKEN The scoped "WHERE": The HashiCorp Vault token for the Git PAT vault.

Work Item Provider Configuration

Variable (SIGNET_WI_*) Fallback (3SC_*) Purpose
SIGNET_WI_URL Required: The base URL of your provider (e.g., https://my-org.atlassian.net).
SIGNET_WI_PROVIDER Explicitly sets the provider type (Jira, AzureDevOps, GitHub). Often not needed.
SIGNET_WI_PAT Conditional: The PAT for your provider. (Not Recommended)
SIGNET_WI_PAT_SECRET_NAME The "WHAT": The name of the secret in a vault for the provider PAT.
SIGNET_WI_VAULT_TYPE 3SC_VAULT_TYPE The scoped "WHERE": Overrides the Vault provider for Work Item operations only.
SIGNET_WI_VAULT_URL 3SC_VAULT_URL The scoped "WHERE": The endpoint for the vault used for the WI PAT.
SIGNET_WI_AZURE_CLIENT_ID 3SC_AZURE_CLIENT_ID The scoped "WHERE": Azure SP Client ID for the WI PAT vault.
SIGNET_WI_AZURE_CLIENT_SECRET 3SC_AZURE_CLIENT_SECRET The scoped "WHERE": Azure SP Client Secret for the WI PAT vault.
SIGNET_WI_AZURE_TENANT_ID 3SC_AZURE_TENANT_ID The scoped "WHERE": Azure Tenant ID for the WI PAT vault.
SIGNET_WI_AWS_ACCESS_KEY_ID 3SC_AWS_ACCESS_KEY_ID The scoped "WHERE": AWS Access Key ID for the WI PAT vault.
SIGNET_WI_AWS_SECRET_ACCESS_KEY 3SC_AWS_SECRET_ACCESS_KEY The scoped "WHERE": AWS Secret Access Key for the WI PAT vault.
SIGNET_WI_GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS The scoped "WHERE": Path to the GCP service account key file for the WI PAT vault.
SIGNET_WI_VAULT_TOKEN 3SC_VAULT_TOKEN The scoped "WHERE": The HashiCorp Vault token for the WI PAT vault.

Publisher Configuration

Variable (SIGNET_PUBLISHER_*) Default Purpose
SIGNET_PUBLISHER_TYPE Git The destination for your release notes (Git, Confluence, Notion).

If PUBLISHER_TYPE=Git

Variable (SIGNET_PUBLISHER_GIT_*) Fallback (3SC_*) Purpose
SIGNET_PUBLISHER_GIT_REPO_URL Required: The URL of the Git Wiki repository.
SIGNET_PUBLISHER_GIT_BRANCH The branch to push to (defaults to main).
SIGNET_PUBLISHER_GIT_PAT Conditional: The PAT for the wiki repository. (Not Recommended)
SIGNET_PUBLISHER_GIT_PAT_SECRET_NAME The "WHAT": The name of the secret in a vault for the wiki PAT.
SIGNET_PUBLISHER_GIT_VAULT_TYPE 3SC_VAULT_TYPE The scoped "WHERE": Overrides the Vault provider for Git Publisher operations only.
SIGNET_PUBLISHER_GIT_VAULT_URL 3SC_VAULT_URL The scoped "WHERE": The endpoint for the vault used for the Git Publisher PAT.
SIGNET_PUBLISHER_GIT_AZURE_CLIENT_ID 3SC_AZURE_CLIENT_ID The scoped "WHERE": Azure SP Client ID for the Git Publisher PAT vault.
SIGNET_PUBLISHER_GIT_AZURE_CLIENT_SECRET 3SC_AZURE_CLIENT_SECRET The scoped "WHERE": Azure SP Client Secret for the Git Publisher PAT vault.
SIGNET_PUBLISHER_GIT_AZURE_TENANT_ID 3SC_AZURE_TENANT_ID The scoped "WHERE": Azure Tenant ID for the Git Publisher PAT vault.
SIGNET_PUBLISHER_GIT_AWS_ACCESS_KEY_ID 3SC_AWS_ACCESS_KEY_ID The scoped "WHERE": AWS Access Key ID for the Git Publisher PAT vault.
SIGNET_PUBLISHER_GIT_AWS_SECRET_ACCESS_KEY 3SC_AWS_SECRET_ACCESS_KEY The scoped "WHERE": AWS Secret Access Key for the Git Publisher PAT vault.
SIGNET_PUBLISHER_GIT_GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS The scoped "WHERE": Path to GCP service account key for the Git Publisher PAT vault.
SIGNET_PUBLISHER_GIT_VAULT_TOKEN 3SC_VAULT_TOKEN The scoped "WHERE": The HashiCorp Vault token for the Git Publisher PAT vault.

If PUBLISHER_TYPE=Confluence

Variable (SIGNET_PUBLISHER_CONFLUENCE_*) Fallback (3SC_*) Purpose
SIGNET_PUBLISHER_CONFLUENCE_BASE_URL Required: The base URL of your Confluence instance.
SIGNET_PUBLISHER_CONFLUENCE_API_USER Required: The email address of the user for API authentication.
SIGNET_PUBLISHER_CONFLUENCE_SPACE_KEY Required: The key of the Confluence space to publish to.
SIGNET_PUBLISHER_CONFLUENCE_PARENT_PAGE_ID Required: The ID of the parent page under which new releases will be created.
SIGNET_PUBLISHER_CONFLUENCE_API_TOKEN Conditional: The Confluence API token. (Not Recommended)
SIGNET_PUBLISHER_CONFLUENCE_API_TOKEN_SECRET_NAME The "WHAT": The name of the secret in a vault for the API token.
SIGNET_PUBLISHER_CONFLUENCE_VAULT_TYPE 3SC_VAULT_TYPE The scoped "WHERE": Overrides the Vault provider for Confluence operations only.
SIGNET_PUBLISHER_CONFLUENCE_VAULT_URL 3SC_VAULT_URL The scoped "WHERE": The endpoint for the vault used for the Confluence token.
SIGNET_PUBLISHER_CONFLUENCE_AZURE_CLIENT_ID 3SC_AZURE_CLIENT_ID The scoped "WHERE": Azure SP Client ID for the Confluence token vault.
SIGNET_PUBLISHER_CONFLUENCE_AZURE_CLIENT_SECRET 3SC_AZURE_CLIENT_SECRET The scoped "WHERE": Azure SP Client Secret for the Confluence token vault.
SIGNET_PUBLISHER_CONFLUENCE_AZURE_TENANT_ID 3SC_AZURE_TENANT_ID The scoped "WHERE": Azure Tenant ID for the Confluence token vault.
SIGNET_PUBLISHER_CONFLUENCE_AWS_ACCESS_KEY_ID 3SC_AWS_ACCESS_KEY_ID The scoped "WHERE": AWS Access Key ID for the Confluence token vault.
SIGNET_PUBLISHER_CONFLUENCE_AWS_SECRET_ACCESS_KEY 3SC_AWS_SECRET_ACCESS_KEY The scoped "WHERE": AWS Secret Access Key for the Confluence token vault.
SIGNET_PUBLISHER_CONFLUENCE_GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS The scoped "WHERE": Path to GCP service account key for the Confluence token vault.
SIGNET_PUBLISHER_CONFLUENCE_VAULT_TOKEN 3SC_VAULT_TOKEN The scoped "WHERE": The HashiCorp Vault token for the Confluence token vault.

If PUBLISHER_TYPE=Notion

Variable (SIGNET_PUBLISHER_NOTION_*) Fallback (3SC_*) Purpose
SIGNET_PUBLISHER_NOTION_DATABASE_ID Required: The ID of the Notion database to add pages to.
SIGNET_PUBLISHER_NOTION_API_TOKEN Conditional: The Notion API token. (Not Recommended)
SIGNET_PUBLISHER_NOTION_API_TOKEN_SECRET_NAME The "WHAT": The name of the secret in a vault for the API token.
SIGNET_PUBLISHER_NOTION_VAULT_TYPE 3SC_VAULT_TYPE The scoped "WHERE": Overrides the Vault provider for Notion operations only.
SIGNET_PUBLISHER_NOTION_VAULT_URL 3SC_VAULT_URL The scoped "WHERE": The endpoint for the vault used for the Notion token.
SIGNET_PUBLISHER_NOTION_AZURE_CLIENT_ID 3SC_AZURE_CLIENT_ID The scoped "WHERE": Azure SP Client ID for the Notion token vault.
SIGNET_PUBLISHER_NOTION_AZURE_CLIENT_SECRET 3SC_AZURE_CLIENT_SECRET The scoped "WHERE": Azure SP Client Secret for the Notion token vault.
SIGNET_PUBLISHER_NOTION_AZURE_TENANT_ID 3SC_AZURE_TENANT_ID The scoped "WHERE": Azure Tenant ID for the Notion token vault.
SIGNET_PUBLISHER_NOTION_AWS_ACCESS_KEY_ID 3SC_AWS_ACCESS_KEY_ID The scoped "WHERE": AWS Access Key ID for the Notion token vault.
SIGNET_PUBLISHER_NOTION_AWS_SECRET_ACCESS_KEY 3SC_AWS_SECRET_ACCESS_KEY The scoped "WHERE": AWS Secret Access Key for the Notion token vault.
SIGNET_PUBLISHER_NOTION_GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS The scoped "WHERE": Path to GCP service account key for the Notion token vault.
SIGNET_PUBLISHER_NOTION_VAULT_TOKEN 3SC_VAULT_TOKEN The scoped "WHERE": The HashiCorp Vault token for the Notion token vault.

Observability Configuration

Variable (SIGNET_LOG_*) Fallback (3SC_*) Purpose
SIGNET_LOG_ENDPOINT_URL 3SC_LOG_ENDPOINT_URL The URL for the Firehose endpoint.
SIGNET_LOG_ENDPOINT_TOKEN 3SC_LOG_ENDPOINT_TOKEN A direct authentication token for the endpoint.
SIGNET_LOG_ENDPOINT_TOKEN_SECRET_NAME The "WHAT": The name of the secret in a vault for the token.
SIGNET_LOG_VAULT_TYPE 3SC_VAULT_TYPE The scoped "WHERE": Overrides the Vault provider for Logging operations only.
SIGNET_LOG_VAULT_URL 3SC_VAULT_URL The scoped "WHERE": The endpoint for the vault used for the Firehose token.
SIGNET_LOG_AZURE_CLIENT_ID 3SC_AZURE_CLIENT_ID The scoped "WHERE": Azure SP Client ID for the Firehose token vault.
SIGNET_LOG_AZURE_CLIENT_SECRET 3SC_AZURE_CLIENT_SECRET The scoped "WHERE": Azure SP Client Secret for the Firehose token vault.
SIGNET_LOG_AZURE_TENANT_ID 3SC_AZURE_TENANT_ID The scoped "WHERE": Azure Tenant ID for the Firehose token vault.
SIGNET_LOG_AWS_ACCESS_KEY_ID 3SC_AWS_ACCESS_KEY_ID The scoped "WHERE": AWS Access Key ID for the Firehose token vault.
SIGNET_LOG_AWS_SECRET_ACCESS_KEY 3SC_AWS_SECRET_ACCESS_KEY The scoped "WHERE": AWS Secret Access Key for the Firehose token vault.
SIGNET_LOG_GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS The scoped "WHERE": Path to the GCP service account key file for the Firehose token vault.
SIGNET_LOG_VAULT_TOKEN 3SC_VAULT_TOKEN The scoped "WHERE": The HashiCorp Vault token for the Firehose token.

Licensing & Degraded Mode

  • If a valid license cannot be acquired, Signet runs in a Degraded Mode.
  • In this mode, it logs a warning message and exits with a success code (0), skipping all operations. This ensures that a licensing issue does not block your release pipeline.