Secret Rotation¶

Rotate credentials used by xfg regularly to limit the blast radius of a compromise.

Recommended Schedules¶

Credential	Recommended Schedule
GH_TOKEN (GitHub PAT)	Every 90 days
GitHub App private key (.pem)	Every 6 months
Azure DevOps PAT / service principal	Every 90 days
GitLab PAT / project access token	Every 90 days
CONTEXT7_API_KEY / MCP keys	Per provider policy

Generate a new classic token at GitHub Settings > Personal access tokens (classic) with repo and workflow scopes.
Update the secret in your CI environment:
GitHub Actions: Repository > Settings > Secrets and variables > Actions > Update GH_TOKEN
Azure Pipelines: Pipeline > Edit > Variables > Update GH_TOKEN
GitLab CI: Settings > CI/CD > Variables > Update GH_TOKEN
Trigger a test run to verify the new token works.

Go to your GitHub App settings > General > Private keys.
Click Generate a private key to create a new .pem file.
Update the APP_PRIVATE_KEY secret in your CI environment with the contents of the new .pem file.
Trigger a test run to confirm xfg can authenticate with the new key.
Delete the old private key from the GitHub App settings page.

See GitHub App Authentication for full setup details.

Rotate the client secret in Azure AD > App registrations > your app > Certificates & secrets.
Update the secret in your CI pipeline variables.

For local development credentials (CONTEXT7_API_KEY, SSH keys, platform CLI sessions), see the Secret Rotation section in DEVELOPMENT.md.

After rotating any credential, run a dry-run sync to confirm xfg can authenticate without making changes:

xfg sync --config <config.yaml> --dry-run

Check the output for authentication errors before running a real sync.