Environment setup
Environment variables across services: local dev, Cloud Run, Modal, and GitHub Actions.
Overview
| Service | Config location | Secrets storage |
|---|---|---|
| Local dev | .env file | Local file |
| Cloud Run (API) | Terraform | GitHub Secrets |
| Modal.com | Modal secrets | Modal dashboard |
| GitHub Actions | Workflow files | GitHub Secrets |
Local development
Copy .env.example to .env and configure:
# Supabase (from `supabase start` output) SUPABASE_URL=http://127.0.0.1:54321 SUPABASE_KEY=eyJ... SUPABASE_SERVICE_KEY=eyJ... SUPABASE_DB_URL=postgresql://postgres:postgres@127.0.0.1:54322/postgres # Storage STORAGE_BUCKET=datasets # API API_TITLE=PolicyEngine API API_VERSION=0.1.0 API_PORT=8000 DEBUG=true # Observability LOGFIRE_TOKEN=... LOGFIRE_ENVIRONMENT=local # Modal (for local testing) MODAL_TOKEN_ID=ak-... MODAL_TOKEN_SECRET=as-...
Modal.com secrets
Modal functions read from a secret named policyengine-db:
modal secret create policyengine-db \ DATABASE_URL="postgresql://..." \ SUPABASE_URL="https://xxx.supabase.co" \ SUPABASE_KEY="eyJ..." \ STORAGE_BUCKET="datasets"
| Key | Description |
|---|---|
| DATABASE_URL | Supabase Postgres (use connection pooler) |
| SUPABASE_URL | Supabase project URL |
| SUPABASE_KEY | Supabase anon or service key |
| STORAGE_BUCKET | Supabase storage bucket name |
GitHub Actions
Required secrets for CI/CD (Settings → Secrets):
Secrets
SUPABASE_URL
SUPABASE_KEY
SUPABASE_DB_URL
LOGFIRE_TOKEN
MODAL_TOKEN_ID
MODAL_TOKEN_SECRET
GCP_WORKLOAD_IDENTITY_PROVIDER
GCP_SERVICE_ACCOUNT
Variables
GCP_PROJECT_ID
GCP_REGION
PROJECT_NAME
API_SERVICE_NAME
Database URLs
Supabase provides multiple connection options:
| Type | Use case | Port |
|---|---|---|
| Direct | Local dev | 54322 |
| Pooler (transaction) | Cloud Run, Modal | 6543 |
| Pooler (session) | Long connections | 5432 |
Use the transaction pooler (port 6543) for serverless environments - handles IPv4 and connection limits.