From 8803fa4e183b8f5b0f57cf8de2f806260acb702e Mon Sep 17 00:00:00 2001
From: confused-Techie <dev@lhbasics.com>
Date: Tue, 19 Aug 2025 19:20:39 -0700
Subject: [PATCH 01/15] Add runbooks dir

---
 guides/runbooks/README.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 guides/runbooks/README.md

diff --git a/guides/runbooks/README.md b/guides/runbooks/README.md
new file mode 100644
index 0000000..a92839c
--- /dev/null
+++ b/guides/runbooks/README.md
@@ -0,0 +1,5 @@
+# Runbooks
+
+This directory of runbooks contains various documents detailing the 'how' and 'where' of various un-connecting parts of the Pulsar organization.
+
+Aimed to be as helpful and concise as possible to inform the Pulsar maintainers of where certain things might be, or how to fix various situations.

From 6f11e074c1a4d4e60089852cac1edb525874f928 Mon Sep 17 00:00:00 2001
From: confused-Techie <dev@lhbasics.com>
Date: Tue, 19 Aug 2025 19:20:47 -0700
Subject: [PATCH 02/15] Create secrets runbook

---
 guides/runbooks/secrets.md | 465 +++++++++++++++++++++++++++++++++++++
 1 file changed, 465 insertions(+)
 create mode 100644 guides/runbooks/secrets.md

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
new file mode 100644
index 0000000..bd1c728
--- /dev/null
+++ b/guides/runbooks/secrets.md
@@ -0,0 +1,465 @@
+# Secrets
+
+This document attempts to cover the 'where' of various secrets, and what they control.
+
+## 1. GitHub Organization Level Secrets
+
+The following secrets are stored as `Actions` secrets in the `pulsar-edit` organization.
+
+Accessible from `https://github.com/organizations/pulsar-edit/settings/secrets/actions`.
+
+### 1.1 `NPM_PUBLISH_TOKEN`
+
+**DESCRIPTION**
+
+This token allows publish access to our `@pulsar-edit` NPM account.
+Likely this token was generated by a user on the NPM organization that has publish access.
+
+**IMPORTANT**
+
+The secret has very limited 'visibility', only being visible to the repositories
+we know need to use it, and any new repo **must** be given access to this secret
+via it's 'visibility'.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: confused-Techie
+
+## 2 `pulsar-edit/pulsar` Repository Level Secrets
+
+The following secrets are stored as `Actions` secrets in the `pulsar-edit/pulsar` repository.
+
+Accessible from `https://github.com/pulsar-edit/pulsar/settings/secrets/actions`.
+
+### 2.1 `APPLEID`
+
+**DESCRIPTION**
+
+The AppleID of a developer Apple account, that allows us to sign macOS binaries produced
+in GitHub Actions.
+
+**IMPORTANT**
+
+These permissions will fail if the developer has not agreed to the newest Apple
+Developer terms of service.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: meadowsys
+
+### 2.2 `APPLEID_PASSWORD`
+
+**DESCRIPTION**
+
+The AppleID password of a developer Apple account, that allows us to sign macOS binaries
+produced in GitHub Actions.
+
+**IMPORTANT**
+
+These permissions will fail if the developer has not agreed to the newest Apple
+Developer terms of service.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: meadowsys
+
+### 2.3 `CSC_KEY_PASSWORD`
+
+**DESCRIPTION**
+
+The password to decrypt the certificate given in `CSC_LINK`. Tied to an
+Apple developer account that allows us to sign macOS binaries produced in GitHub Actions.
+
+**IMPORTANT**
+
+These permissions will fail if the developer has not agreed to the newest Apple
+Developer terms of service.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: meadowsys
+
+### 2.4 `CSC_LINK`
+
+**DESCRIPTION**
+
+The HTTPS link to a certificate. Tied to an Apple developer account that allows
+us to sign macOS binaries produced in GitHub Actions.
+
+**IMPORTANT**
+
+These permissions will fail if the developer has not agreed to the newest Apple
+Developer terms of service.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: meadowsys
+
+### 2.5 `ELECTRON_NEXT_BINARIES_UPLOAD_TOKEN`
+
+**DESCRIPTION**
+
+A GitHub PAT token that gives access to `pulsar-edit/pulsar-electron-next-binaries`.
+This ensures that releases can be created and binaries uploaded to it.
+
+**IMPORTANT**
+
+PAT tokens by default have an expiration date, and if/when this token expires it
+**must** be updated via this secret.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: DeeDeeG
+
+### 2.6 `ROLLING_RELEASE_UPLOAD_TOKEN`
+
+**DESCRIPTION**
+
+A GitHub PAT token that gives access to `pulsar-edit/pulsar-rolling-releases`.
+This ensures that releases can be created and binaries uploaded to it.
+
+**IMPORTANT**
+
+PAT tokens by default have an expiration date, and if/when this token expires it
+**must** be updated via this secret.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: DeeDeeG
+
+### 2.7 `TEAM_ID`
+
+**DESCRIPTION**
+
+A value tied to an Apple developer account that allows us to sign macOS
+binaries produced in GitHub Actions.
+
+**IMPORTANT**
+
+These permissions will fail if the developer has not agreed to the newest Apple
+Developer terms of service.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: meadowsys
+
+## 3. CirrusCI Secrets
+
+The following secrets are stored within CirrusCI as 'Secured Variables'.
+While a 'Secured Variable' doesn't have any title or way to look it up,
+this document will use the names we assign to them within `pulsar-edit/pulsar/.cirrus.yml`.
+
+### 3.1 `GITHUB_TOKEN`
+
+**DESCRIPTION**
+
+A GitHub PAT token with zero permissions. This token is used so that CirrusCI's
+API requests to GitHub are authenticated and have a higher API rate limit.
+This was done due to a high number of requests when downloading 'RipGrep'.
+
+**IMPORTANT**
+
+PAT tokens by default have an expiration date, and if/when this token expires it
+**must** be updated by creating a new CirrusCI 'Secured Variable' and modifying
+the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
+
+**PERMISSIONS**
+
+This token requires **zero** permissions, as it doesn't access any organization
+specific resources.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: Unknown
+
+### 3.2 `ROLLING_UPLOAD_TOKEN`
+
+**DESCRIPTION**
+
+Identical to `2.6`.
+
+**IMPORTANT**
+
+PAT tokens by default have an expiration date, and if/when this token expires it
+**must** be updated by creating a new CirrusCI 'Secured Variable' and modifying
+the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: Unknown
+
+### 3.3 `CSC_LINK`
+
+***DESCRIPTION**
+
+Identical to `2.4`.
+
+**IMPORTANT**
+
+Identical to `2.4`.
+
+**OWNERSHIP**
+
+Identical to `2.4`.
+
+### 3.4 `CSC_KEY_PASSWORD`
+
+***DESCRIPTION**
+
+Identical to `2.3`.
+
+**IMPORTANT**
+
+Identical to `2.3`.
+
+**OWNERSHIP**
+
+Identical to `2.3`.
+
+### 3.5 `APPLEID`
+
+***DESCRIPTION**
+
+Identical to `2.1`.
+
+**IMPORTANT**
+
+Identical to `2.1`.
+
+**OWNERSHIP**
+
+Identical to `2.1`.
+
+### 3.6 `APPLEID_PASSWORD`
+
+***DESCRIPTION**
+
+Identical to `2.1`.
+
+**IMPORTANT**
+
+Identical to `2.1`.
+
+**OWNERSHIP**
+
+Identical to `2.1`.
+
+### 3.7 `TEAM_ID`
+
+***DESCRIPTION**
+
+Identical to `2.7`.
+
+**IMPORTANT**
+
+Identical to `2.7`.
+
+**OWNERSHIP**
+
+Identical to `2.7`.
+
+### 3.8 `ROLLING_UPLOAD_TOKEN`
+
+**DESCRIPTION**
+
+Identical to `2.6`.
+
+**IMPORTANT**
+
+PAT tokens by default have an expiration date, and if/when this token expires it
+**must** be updated by creating a new CirrusCI 'Secured Variable' and modifying
+the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: Unknown
+
+## 4. Google Cloud: Secret Manager
+
+The following secrets are stored in GCP's 'Secret Manager'. To access you **must**
+be added to the 'pulsar' GCP project.
+To modify any of these secrets you **must** be given `secretmanager.secrets.update`
+permissions within GCP.
+
+### 4.1 `ASC_MICROSERVICE_DB_DB`
+
+**DESCRIPTION**
+
+The database name for Pulsar's Package Registry Database.
+
+This is used by the `pulsar-edit/package-frontend` microservice `auth-state-cleanup`
+to preform periodic cleanup of saved `state` keys used to protect against cross-site
+request forgery attacks during the GitHub OAuth signup flow.
+
+**IMPORTANT**
+
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard, under
+the 'Connection Pools' tab. As this is the 'table' that the microservice connects to.
+
+**OWNERSHIP**
+
+N/A
+
+### 4.2 `ASC_MICROSERVICE_DB_HOST`
+
+**DESCRIPTION**
+
+The database hostname for Pulsar's Package Registry Database.
+
+Identical to `4.1`.
+
+**IMPORTANT**
+
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
+under the 'Overview' tab under 'Connection Details'. As this DigitalOcean
+controls the hostname we connect to.
+
+**OWNERSHIP**
+
+N/A
+
+### 4.3 `ASC_MICROSERVICE_DB_PASS`
+
+**DESCRIPTION**
+
+The database password for Pulsar's Package Registry Database.
+
+Identical to `4.1`.
+
+**IMPORTANT**
+
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
+under the 'Users & Databases' tab. As this defines the user's available.
+
+**OWNERSHIP**
+
+N/A
+
+### 4.4 `ASC_MICROSERVICE_DB_PORT`
+
+**DESCRIPTION**
+
+The database port for Pulsar's Package Registry Database.
+
+Identical to `4.1`.
+
+**IMPORTANT**
+
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
+under the 'Overview' tab under 'Connection Details'. As this DigitalOcean
+controls the port we connect to.
+
+**OWNERSHIP**
+
+N/A
+
+### 4.5 `ASC_MICROSERVICE_DB_SSL_CERT`
+
+**DESCRIPTION**
+
+The database SSL certificate for Pulsar's Package Registry Database.
+
+Identical to `4.1`.
+
+**IMPORTANT**
+
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
+under the 'Overview' tab under 'Connection Details'. As this DigitalOcean
+controls the SSL certificate we use.
+
+**OWNERSHIP**
+
+N/A
+
+### 4.6 `ASC_MICROSERVICE_DB_USER`
+
+**DESCRIPTION**
+
+The database username for Pulsar's Package Registry Database.
+
+Identical to `4.1`
+
+**IMPORTANT**
+
+Identical to `4.3`.
+
+**OWNERSHIP**
+
+N/A
+
+### 4.7 `DISCORD_SPONSOR_WEBHOOK`
+
+**DESCRIPTION**
+
+The Webhook URL used to post to the `#donations` Discord channel as the user `GitHub Sponsors`.
+This URL is used by the `pulsar-edit/package-frontend` microservice `webhooks`
+to post modified webhooks from GitHub Sponsors, more about this process in 4.9.
+
+**IMPORTANT**
+
+This will likely never change, but it's value is stored in the Pulsar Discord Server:
+Server Settings > Apps > Integrations > Webhooks > GitHub Sponsors
+
+**OWNERSHIP**
+
+The value of this URL is owned and controlled by Discord.
+
+### 4.8 `GH_TOKEN_DOWNLOAD_MICROSERVICE`
+
+**DESCRIPTION**
+
+A GitHub PAT token with zero permissions. This token is used so that the `pulsar-edit/frontend`
+microservice `download` has higher rate limits against the GitHub API.
+
+**IMPORTANT**
+
+PAT tokens by default have an expiration date, and if/when this token expires it
+**must** be updated by updating the value in GCP's Secret Manager Dashboard.
+
+**PERMISSIONS**
+
+This token requires **zero** permissions, as it doesn't access any organization
+specific resources.
+
+**OWNERSHIP**
+
+- Last Updated: August 2025
+- Who: confused-Techie
+
+### 4.9 `WEBHOOKS_MICROSERVICE_TOKEN`
+
+**DESCRIPTION**
+
+A secret token that validates a legit webhook request from Github.
+
+This token is a random string manually inserted into the webhook details for Pulsar's
+GitHub Sponsors webhook. The same exact token is then used in this variable
+on GCP, so that when the `webhook` microservice receives a request it can check
+if the two tokens match, so that it knows the request came from GitHub.
+
+If it did, it will then modify the webhook data to be compatible in Discord, so
+that GitHub Sponsors alerts can be sent in the `#donations` Discord channel.
+
+**IMPORTANT**
+
+It's best to avoid ever changing this value. As it **must** be changed along with
+the token used in the GitHub Sponsors Webhook settings (which are different than
+GitHub Webhook settings).
+
+If changed, this value is currently a random string, and is consumed by
+the `pulsar-edit/package-frontend` microservice `webhooks`.
+
+**OWNERSHIP**
+
+N/A

From 768df8559c12d0f6d8b7de57b36b9abd3be3b789 Mon Sep 17 00:00:00 2001
From: confused-Techie <dev@lhbasics.com>
Date: Tue, 19 Aug 2025 19:26:15 -0700
Subject: [PATCH 03/15] Resolve formatting mistake

---
 guides/runbooks/secrets.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index bd1c728..d858643 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -200,7 +200,7 @@ the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
 
 ### 3.3 `CSC_LINK`
 
-***DESCRIPTION**
+**DESCRIPTION**
 
 Identical to `2.4`.
 
@@ -214,7 +214,7 @@ Identical to `2.4`.
 
 ### 3.4 `CSC_KEY_PASSWORD`
 
-***DESCRIPTION**
+**DESCRIPTION**
 
 Identical to `2.3`.
 
@@ -228,7 +228,7 @@ Identical to `2.3`.
 
 ### 3.5 `APPLEID`
 
-***DESCRIPTION**
+**DESCRIPTION**
 
 Identical to `2.1`.
 
@@ -242,7 +242,7 @@ Identical to `2.1`.
 
 ### 3.6 `APPLEID_PASSWORD`
 
-***DESCRIPTION**
+**DESCRIPTION**
 
 Identical to `2.1`.
 
@@ -256,7 +256,7 @@ Identical to `2.1`.
 
 ### 3.7 `TEAM_ID`
 
-***DESCRIPTION**
+**DESCRIPTION**
 
 Identical to `2.7`.
 

From 0ab1f046ad162eb6439f2a35f0dc9c95d557adb7 Mon Sep 17 00:00:00 2001
From: confused_techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 20:54:22 -0700
Subject: [PATCH 04/15] Update guides/runbooks/secrets.md

Co-authored-by: DeeDeeG <DeeDeeG@users.noreply.github.com>
---
 guides/runbooks/secrets.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index d858643..1a67f36 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -283,7 +283,7 @@ the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
 **OWNERSHIP**
 
 - Last Updated: August 2025
-- Who: Unknown
+- Who: DeeDeeG
 
 ## 4. Google Cloud: Secret Manager
 

From 747e20e58c4f0976cbcd9552ee6703776562e8b3 Mon Sep 17 00:00:00 2001
From: confused_techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 20:54:29 -0700
Subject: [PATCH 05/15] Update guides/runbooks/secrets.md

Co-authored-by: Andrew Dupont <andrew@andrewdupont.net>
---
 guides/runbooks/secrets.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index 1a67f36..5baf998 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -17,7 +17,7 @@ Likely this token was generated by a user on the NPM organization that has publi
 
 **IMPORTANT**
 
-The secret has very limited 'visibility', only being visible to the repositories
+The secret has very limited _visibility_, only being visible to the repositories
 we know need to use it, and any new repo **must** be given access to this secret
 via it's 'visibility'.
 

From e3dbddb2bd917907548d6c1cacb4a16d6afa2938 Mon Sep 17 00:00:00 2001
From: confused_techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 20:54:38 -0700
Subject: [PATCH 06/15] Update guides/runbooks/secrets.md

Co-authored-by: Andrew Dupont <andrew@andrewdupont.net>
---
 guides/runbooks/secrets.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index 5baf998..3e5b015 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -19,7 +19,7 @@ Likely this token was generated by a user on the NPM organization that has publi
 
 The secret has very limited _visibility_, only being visible to the repositories
 we know need to use it, and any new repo **must** be given access to this secret
-via it's 'visibility'.
+via its own “visibility” setting.
 
 **OWNERSHIP**
 

From 68072ed9e17b81ae271e88dc8dad764a3bf80bc1 Mon Sep 17 00:00:00 2001
From: confused_techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 20:54:46 -0700
Subject: [PATCH 07/15] Update guides/runbooks/secrets.md

Co-authored-by: Andrew Dupont <andrew@andrewdupont.net>
---
 guides/runbooks/secrets.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index 3e5b015..70324c8 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -36,7 +36,7 @@ Accessible from `https://github.com/pulsar-edit/pulsar/settings/secrets/actions`
 
 **DESCRIPTION**
 
-The AppleID of a developer Apple account, that allows us to sign macOS binaries produced
+The AppleID of a developer Apple account. Allows us to sign macOS binaries produced
 in GitHub Actions.
 
 **IMPORTANT**

From a123fd48f52db992100326ed1c269e9a365ac551 Mon Sep 17 00:00:00 2001
From: confused_techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 20:54:53 -0700
Subject: [PATCH 08/15] Update guides/runbooks/secrets.md

Co-authored-by: Andrew Dupont <andrew@andrewdupont.net>
---
 guides/runbooks/secrets.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index 70324c8..200c2b9 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -163,7 +163,7 @@ this document will use the names we assign to them within `pulsar-edit/pulsar/.c
 
 A GitHub PAT token with zero permissions. This token is used so that CirrusCI's
 API requests to GitHub are authenticated and have a higher API rate limit.
-This was done due to a high number of requests when downloading 'RipGrep'.
+This was done due to a high number of requests when downloading `ripgrep`.
 
 **IMPORTANT**
 

From d5185fd801ad1b6328c9de236753b55b07b83430 Mon Sep 17 00:00:00 2001
From: confused_techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 20:55:00 -0700
Subject: [PATCH 09/15] Update guides/runbooks/secrets.md

Co-authored-by: DeeDeeG <DeeDeeG@users.noreply.github.com>
---
 guides/runbooks/secrets.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index 200c2b9..329219e 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -179,7 +179,7 @@ specific resources.
 **OWNERSHIP**
 
 - Last Updated: August 2025
-- Who: Unknown
+- Who: DeeDeeG
 
 ### 3.2 `ROLLING_UPLOAD_TOKEN`
 

From cd3a4c89a45c8a0d164b2bb655bbb8b93c82b1c5 Mon Sep 17 00:00:00 2001
From: confused_techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 20:55:07 -0700
Subject: [PATCH 10/15] Update guides/runbooks/secrets.md

Co-authored-by: DeeDeeG <DeeDeeG@users.noreply.github.com>
---
 guides/runbooks/secrets.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index 329219e..acef77a 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -196,7 +196,7 @@ the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
 **OWNERSHIP**
 
 - Last Updated: August 2025
-- Who: Unknown
+- Who: DeeDeeG
 
 ### 3.3 `CSC_LINK`
 

From 9a637883942313a2b6f6567e016ae045636e90e6 Mon Sep 17 00:00:00 2001
From: confused_techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 20:56:49 -0700
Subject: [PATCH 11/15] Update guides/runbooks/secrets.md

Co-authored-by: DeeDeeG <DeeDeeG@users.noreply.github.com>
---
 guides/runbooks/secrets.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index acef77a..177ff51 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -168,8 +168,10 @@ This was done due to a high number of requests when downloading `ripgrep`.
 **IMPORTANT**
 
 PAT tokens by default have an expiration date, and if/when this token expires it
-**must** be updated by creating a new CirrusCI 'Secured Variable' and modifying
-the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
+**must** be updated by creating a new CirrusCI 'Secured Variable' and either
+modifying the variable within `.cirrus.yml` in `pulsar-edit/pulsar`, or updating
+the 'Environment variable overrides' entry for `GITHUB_TOKEN` in the Cirrus CI
+web UI.
 
 **PERMISSIONS**
 

From 5b2929c64c1c8f388304ccc802e34ea988bf035a Mon Sep 17 00:00:00 2001
From: confused_techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 20:57:26 -0700
Subject: [PATCH 12/15] Update guides/runbooks/secrets.md

Co-authored-by: Andrew Dupont <andrew@andrewdupont.net>
---
 guides/runbooks/secrets.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index 177ff51..c8d6842 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -10,7 +10,7 @@ Accessible from `https://github.com/organizations/pulsar-edit/settings/secrets/a
 
 ### 1.1 `NPM_PUBLISH_TOKEN`
 
-**DESCRIPTION**
+#### Description
 
 This token allows publish access to our `@pulsar-edit` NPM account.
 Likely this token was generated by a user on the NPM organization that has publish access.

From 336ae99717016338ef20266e73d7c29ef61ccad0 Mon Sep 17 00:00:00 2001
From: confused-Techie <dev@lhbasics.com>
Date: Sat, 30 Aug 2025 21:01:36 -0700
Subject: [PATCH 13/15] Formatting: Replace `**WORD**` with headers

---
 guides/runbooks/secrets.md | 150 ++++++++++++++++++-------------------
 1 file changed, 75 insertions(+), 75 deletions(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index c8d6842..38ffeb2 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -15,13 +15,13 @@ Accessible from `https://github.com/organizations/pulsar-edit/settings/secrets/a
 This token allows publish access to our `@pulsar-edit` NPM account.
 Likely this token was generated by a user on the NPM organization that has publish access.
 
-**IMPORTANT**
+#### Important
 
 The secret has very limited _visibility_, only being visible to the repositories
 we know need to use it, and any new repo **must** be given access to this secret
 via its own “visibility” setting.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: confused-Techie
@@ -34,119 +34,119 @@ Accessible from `https://github.com/pulsar-edit/pulsar/settings/secrets/actions`
 
 ### 2.1 `APPLEID`
 
-**DESCRIPTION**
+#### Description
 
 The AppleID of a developer Apple account. Allows us to sign macOS binaries produced
 in GitHub Actions.
 
-**IMPORTANT**
+#### Important
 
 These permissions will fail if the developer has not agreed to the newest Apple
 Developer terms of service.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: meadowsys
 
 ### 2.2 `APPLEID_PASSWORD`
 
-**DESCRIPTION**
+#### Description
 
 The AppleID password of a developer Apple account, that allows us to sign macOS binaries
 produced in GitHub Actions.
 
-**IMPORTANT**
+#### Important
 
 These permissions will fail if the developer has not agreed to the newest Apple
 Developer terms of service.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: meadowsys
 
 ### 2.3 `CSC_KEY_PASSWORD`
 
-**DESCRIPTION**
+#### Description
 
 The password to decrypt the certificate given in `CSC_LINK`. Tied to an
 Apple developer account that allows us to sign macOS binaries produced in GitHub Actions.
 
-**IMPORTANT**
+#### Important
 
 These permissions will fail if the developer has not agreed to the newest Apple
 Developer terms of service.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: meadowsys
 
 ### 2.4 `CSC_LINK`
 
-**DESCRIPTION**
+#### Description
 
 The HTTPS link to a certificate. Tied to an Apple developer account that allows
 us to sign macOS binaries produced in GitHub Actions.
 
-**IMPORTANT**
+#### Important
 
 These permissions will fail if the developer has not agreed to the newest Apple
 Developer terms of service.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: meadowsys
 
 ### 2.5 `ELECTRON_NEXT_BINARIES_UPLOAD_TOKEN`
 
-**DESCRIPTION**
+#### Description
 
 A GitHub PAT token that gives access to `pulsar-edit/pulsar-electron-next-binaries`.
 This ensures that releases can be created and binaries uploaded to it.
 
-**IMPORTANT**
+#### Important
 
 PAT tokens by default have an expiration date, and if/when this token expires it
 **must** be updated via this secret.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: DeeDeeG
 
 ### 2.6 `ROLLING_RELEASE_UPLOAD_TOKEN`
 
-**DESCRIPTION**
+#### Description
 
 A GitHub PAT token that gives access to `pulsar-edit/pulsar-rolling-releases`.
 This ensures that releases can be created and binaries uploaded to it.
 
-**IMPORTANT**
+#### Important
 
 PAT tokens by default have an expiration date, and if/when this token expires it
 **must** be updated via this secret.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: DeeDeeG
 
 ### 2.7 `TEAM_ID`
 
-**DESCRIPTION**
+#### Description
 
 A value tied to an Apple developer account that allows us to sign macOS
 binaries produced in GitHub Actions.
 
-**IMPORTANT**
+#### Important
 
 These permissions will fail if the developer has not agreed to the newest Apple
 Developer terms of service.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: meadowsys
@@ -159,13 +159,13 @@ this document will use the names we assign to them within `pulsar-edit/pulsar/.c
 
 ### 3.1 `GITHUB_TOKEN`
 
-**DESCRIPTION**
+#### Description
 
 A GitHub PAT token with zero permissions. This token is used so that CirrusCI's
 API requests to GitHub are authenticated and have a higher API rate limit.
 This was done due to a high number of requests when downloading `ripgrep`.
 
-**IMPORTANT**
+#### Important
 
 PAT tokens by default have an expiration date, and if/when this token expires it
 **must** be updated by creating a new CirrusCI 'Secured Variable' and either
@@ -178,111 +178,111 @@ web UI.
 This token requires **zero** permissions, as it doesn't access any organization
 specific resources.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: DeeDeeG
 
 ### 3.2 `ROLLING_UPLOAD_TOKEN`
 
-**DESCRIPTION**
+#### Description
 
 Identical to `2.6`.
 
-**IMPORTANT**
+#### Important
 
 PAT tokens by default have an expiration date, and if/when this token expires it
 **must** be updated by creating a new CirrusCI 'Secured Variable' and modifying
 the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: DeeDeeG
 
 ### 3.3 `CSC_LINK`
 
-**DESCRIPTION**
+#### Description
 
 Identical to `2.4`.
 
-**IMPORTANT**
+#### Important
 
 Identical to `2.4`.
 
-**OWNERSHIP**
+#### Ownership
 
 Identical to `2.4`.
 
 ### 3.4 `CSC_KEY_PASSWORD`
 
-**DESCRIPTION**
+#### Description
 
 Identical to `2.3`.
 
-**IMPORTANT**
+#### Important
 
 Identical to `2.3`.
 
-**OWNERSHIP**
+#### Ownership
 
 Identical to `2.3`.
 
 ### 3.5 `APPLEID`
 
-**DESCRIPTION**
+#### Description
 
 Identical to `2.1`.
 
-**IMPORTANT**
+#### Important
 
 Identical to `2.1`.
 
-**OWNERSHIP**
+#### Ownership
 
 Identical to `2.1`.
 
 ### 3.6 `APPLEID_PASSWORD`
 
-**DESCRIPTION**
+#### Description
 
 Identical to `2.1`.
 
-**IMPORTANT**
+#### Important
 
 Identical to `2.1`.
 
-**OWNERSHIP**
+#### Ownership
 
 Identical to `2.1`.
 
 ### 3.7 `TEAM_ID`
 
-**DESCRIPTION**
+#### Description
 
 Identical to `2.7`.
 
-**IMPORTANT**
+#### Important
 
 Identical to `2.7`.
 
-**OWNERSHIP**
+#### Ownership
 
 Identical to `2.7`.
 
 ### 3.8 `ROLLING_UPLOAD_TOKEN`
 
-**DESCRIPTION**
+#### Description
 
 Identical to `2.6`.
 
-**IMPORTANT**
+#### Important
 
 PAT tokens by default have an expiration date, and if/when this token expires it
 **must** be updated by creating a new CirrusCI 'Secured Variable' and modifying
 the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: DeeDeeG
@@ -296,7 +296,7 @@ permissions within GCP.
 
 ### 4.1 `ASC_MICROSERVICE_DB_DB`
 
-**DESCRIPTION**
+#### Description
 
 The database name for Pulsar's Package Registry Database.
 
@@ -304,144 +304,144 @@ This is used by the `pulsar-edit/package-frontend` microservice `auth-state-clea
 to preform periodic cleanup of saved `state` keys used to protect against cross-site
 request forgery attacks during the GitHub OAuth signup flow.
 
-**IMPORTANT**
+#### Important
 
 The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard, under
 the 'Connection Pools' tab. As this is the 'table' that the microservice connects to.
 
-**OWNERSHIP**
+#### Ownership
 
 N/A
 
 ### 4.2 `ASC_MICROSERVICE_DB_HOST`
 
-**DESCRIPTION**
+#### Description
 
 The database hostname for Pulsar's Package Registry Database.
 
 Identical to `4.1`.
 
-**IMPORTANT**
+#### Important
 
 The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
 under the 'Overview' tab under 'Connection Details'. As this DigitalOcean
 controls the hostname we connect to.
 
-**OWNERSHIP**
+#### Ownership
 
 N/A
 
 ### 4.3 `ASC_MICROSERVICE_DB_PASS`
 
-**DESCRIPTION**
+#### Description
 
 The database password for Pulsar's Package Registry Database.
 
 Identical to `4.1`.
 
-**IMPORTANT**
+#### Important
 
 The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
 under the 'Users & Databases' tab. As this defines the user's available.
 
-**OWNERSHIP**
+#### Ownership
 
 N/A
 
 ### 4.4 `ASC_MICROSERVICE_DB_PORT`
 
-**DESCRIPTION**
+#### Description
 
 The database port for Pulsar's Package Registry Database.
 
 Identical to `4.1`.
 
-**IMPORTANT**
+#### Important
 
 The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
 under the 'Overview' tab under 'Connection Details'. As this DigitalOcean
 controls the port we connect to.
 
-**OWNERSHIP**
+#### Ownership
 
 N/A
 
 ### 4.5 `ASC_MICROSERVICE_DB_SSL_CERT`
 
-**DESCRIPTION**
+#### Description
 
 The database SSL certificate for Pulsar's Package Registry Database.
 
 Identical to `4.1`.
 
-**IMPORTANT**
+#### Important
 
 The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
 under the 'Overview' tab under 'Connection Details'. As this DigitalOcean
 controls the SSL certificate we use.
 
-**OWNERSHIP**
+#### Ownership
 
 N/A
 
 ### 4.6 `ASC_MICROSERVICE_DB_USER`
 
-**DESCRIPTION**
+#### Description
 
 The database username for Pulsar's Package Registry Database.
 
 Identical to `4.1`
 
-**IMPORTANT**
+#### Important
 
 Identical to `4.3`.
 
-**OWNERSHIP**
+#### Ownership
 
 N/A
 
 ### 4.7 `DISCORD_SPONSOR_WEBHOOK`
 
-**DESCRIPTION**
+#### Description
 
 The Webhook URL used to post to the `#donations` Discord channel as the user `GitHub Sponsors`.
 This URL is used by the `pulsar-edit/package-frontend` microservice `webhooks`
 to post modified webhooks from GitHub Sponsors, more about this process in 4.9.
 
-**IMPORTANT**
+#### Important
 
 This will likely never change, but it's value is stored in the Pulsar Discord Server:
 Server Settings > Apps > Integrations > Webhooks > GitHub Sponsors
 
-**OWNERSHIP**
+#### Ownership
 
 The value of this URL is owned and controlled by Discord.
 
 ### 4.8 `GH_TOKEN_DOWNLOAD_MICROSERVICE`
 
-**DESCRIPTION**
+#### Description
 
 A GitHub PAT token with zero permissions. This token is used so that the `pulsar-edit/frontend`
 microservice `download` has higher rate limits against the GitHub API.
 
-**IMPORTANT**
+#### Important
 
 PAT tokens by default have an expiration date, and if/when this token expires it
 **must** be updated by updating the value in GCP's Secret Manager Dashboard.
 
-**PERMISSIONS**
+#### Permissions
 
 This token requires **zero** permissions, as it doesn't access any organization
 specific resources.
 
-**OWNERSHIP**
+#### Ownership
 
 - Last Updated: August 2025
 - Who: confused-Techie
 
 ### 4.9 `WEBHOOKS_MICROSERVICE_TOKEN`
 
-**DESCRIPTION**
+#### Description
 
 A secret token that validates a legit webhook request from Github.
 
@@ -453,7 +453,7 @@ if the two tokens match, so that it knows the request came from GitHub.
 If it did, it will then modify the webhook data to be compatible in Discord, so
 that GitHub Sponsors alerts can be sent in the `#donations` Discord channel.
 
-**IMPORTANT**
+#### Important
 
 It's best to avoid ever changing this value. As it **must** be changed along with
 the token used in the GitHub Sponsors Webhook settings (which are different than
@@ -462,6 +462,6 @@ GitHub Webhook settings).
 If changed, this value is currently a random string, and is consumed by
 the `pulsar-edit/package-frontend` microservice `webhooks`.
 
-**OWNERSHIP**
+#### Ownership
 
 N/A

From 89b1d1c4fda8eaf61c3354f0706cb3e3d4043808 Mon Sep 17 00:00:00 2001
From: confused-Techie <dev@lhbasics.com>
Date: Mon, 1 Sep 2025 00:33:59 -0700
Subject: [PATCH 14/15] Remove hard-wrap on all text blocks

---
 guides/runbooks/secrets.md | 132 +++++++++++--------------------------
 1 file changed, 38 insertions(+), 94 deletions(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index 38ffeb2..74750bd 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -12,14 +12,11 @@ Accessible from `https://github.com/organizations/pulsar-edit/settings/secrets/a
 
 #### Description
 
-This token allows publish access to our `@pulsar-edit` NPM account.
-Likely this token was generated by a user on the NPM organization that has publish access.
+This token allows publish access to our `@pulsar-edit` NPM account. Likely this token was generated by a user on the NPM organization that has publish access.
 
 #### Important
 
-The secret has very limited _visibility_, only being visible to the repositories
-we know need to use it, and any new repo **must** be given access to this secret
-via its own “visibility” setting.
+The secret has very limited _visibility_, only being visible to the repositories we know need to use it, and any new repo **must** be given access to this secret via its own “visibility” setting.
 
 #### Ownership
 
@@ -36,13 +33,11 @@ Accessible from `https://github.com/pulsar-edit/pulsar/settings/secrets/actions`
 
 #### Description
 
-The AppleID of a developer Apple account. Allows us to sign macOS binaries produced
-in GitHub Actions.
+The AppleID of a developer Apple account. Allows us to sign macOS binaries produced in GitHub Actions.
 
 #### Important
 
-These permissions will fail if the developer has not agreed to the newest Apple
-Developer terms of service.
+These permissions will fail if the developer has not agreed to the newest Apple Developer terms of service.
 
 #### Ownership
 
@@ -53,13 +48,11 @@ Developer terms of service.
 
 #### Description
 
-The AppleID password of a developer Apple account, that allows us to sign macOS binaries
-produced in GitHub Actions.
+The AppleID password of a developer Apple account, that allows us to sign macOS binaries produced in GitHub Actions.
 
 #### Important
 
-These permissions will fail if the developer has not agreed to the newest Apple
-Developer terms of service.
+These permissions will fail if the developer has not agreed to the newest Apple Developer terms of service.
 
 #### Ownership
 
@@ -70,13 +63,11 @@ Developer terms of service.
 
 #### Description
 
-The password to decrypt the certificate given in `CSC_LINK`. Tied to an
-Apple developer account that allows us to sign macOS binaries produced in GitHub Actions.
+The password to decrypt the certificate given in `CSC_LINK`. Tied to an Apple developer account that allows us to sign macOS binaries produced in GitHub Actions.
 
 #### Important
 
-These permissions will fail if the developer has not agreed to the newest Apple
-Developer terms of service.
+These permissions will fail if the developer has not agreed to the newest Apple Developer terms of service.
 
 #### Ownership
 
@@ -87,13 +78,11 @@ Developer terms of service.
 
 #### Description
 
-The HTTPS link to a certificate. Tied to an Apple developer account that allows
-us to sign macOS binaries produced in GitHub Actions.
+The HTTPS link to a certificate. Tied to an Apple developer account that allows us to sign macOS binaries produced in GitHub Actions.
 
 #### Important
 
-These permissions will fail if the developer has not agreed to the newest Apple
-Developer terms of service.
+These permissions will fail if the developer has not agreed to the newest Apple Developer terms of service.
 
 #### Ownership
 
@@ -104,13 +93,11 @@ Developer terms of service.
 
 #### Description
 
-A GitHub PAT token that gives access to `pulsar-edit/pulsar-electron-next-binaries`.
-This ensures that releases can be created and binaries uploaded to it.
+A GitHub PAT token that gives access to `pulsar-edit/pulsar-electron-next-binaries`. This ensures that releases can be created and binaries uploaded to it.
 
 #### Important
 
-PAT tokens by default have an expiration date, and if/when this token expires it
-**must** be updated via this secret.
+PAT tokens by default have an expiration date, and if/when this token expires it **must** be updated via this secret.
 
 #### Ownership
 
@@ -121,13 +108,11 @@ PAT tokens by default have an expiration date, and if/when this token expires it
 
 #### Description
 
-A GitHub PAT token that gives access to `pulsar-edit/pulsar-rolling-releases`.
-This ensures that releases can be created and binaries uploaded to it.
+A GitHub PAT token that gives access to `pulsar-edit/pulsar-rolling-releases`. This ensures that releases can be created and binaries uploaded to it.
 
 #### Important
 
-PAT tokens by default have an expiration date, and if/when this token expires it
-**must** be updated via this secret.
+PAT tokens by default have an expiration date, and if/when this token expires it **must** be updated via this secret.
 
 #### Ownership
 
@@ -138,13 +123,11 @@ PAT tokens by default have an expiration date, and if/when this token expires it
 
 #### Description
 
-A value tied to an Apple developer account that allows us to sign macOS
-binaries produced in GitHub Actions.
+A value tied to an Apple developer account that allows us to sign macOS binaries produced in GitHub Actions.
 
 #### Important
 
-These permissions will fail if the developer has not agreed to the newest Apple
-Developer terms of service.
+These permissions will fail if the developer has not agreed to the newest Apple Developer terms of service.
 
 #### Ownership
 
@@ -153,30 +136,21 @@ Developer terms of service.
 
 ## 3. CirrusCI Secrets
 
-The following secrets are stored within CirrusCI as 'Secured Variables'.
-While a 'Secured Variable' doesn't have any title or way to look it up,
-this document will use the names we assign to them within `pulsar-edit/pulsar/.cirrus.yml`.
+The following secrets are stored within CirrusCI as 'Secured Variables'. While a 'Secured Variable' doesn't have any title or way to look it up, this document will use the names we assign to them within `pulsar-edit/pulsar/.cirrus.yml`.
 
 ### 3.1 `GITHUB_TOKEN`
 
 #### Description
 
-A GitHub PAT token with zero permissions. This token is used so that CirrusCI's
-API requests to GitHub are authenticated and have a higher API rate limit.
-This was done due to a high number of requests when downloading `ripgrep`.
+A GitHub PAT token with zero permissions. This token is used so that CirrusCI's API requests to GitHub are authenticated and have a higher API rate limit. This was done due to a high number of requests when downloading `ripgrep`.
 
 #### Important
 
-PAT tokens by default have an expiration date, and if/when this token expires it
-**must** be updated by creating a new CirrusCI 'Secured Variable' and either
-modifying the variable within `.cirrus.yml` in `pulsar-edit/pulsar`, or updating
-the 'Environment variable overrides' entry for `GITHUB_TOKEN` in the Cirrus CI
-web UI.
+PAT tokens by default have an expiration date, and if/when this token expires it **must** be updated by creating a new CirrusCI 'Secured Variable' and either modifying the variable within `.cirrus.yml` in `pulsar-edit/pulsar`, or updating the 'Environment variable overrides' entry for `GITHUB_TOKEN` in the Cirrus CI web UI.
 
 **PERMISSIONS**
 
-This token requires **zero** permissions, as it doesn't access any organization
-specific resources.
+This token requires **zero** permissions, as it doesn't access any organization specific resources.
 
 #### Ownership
 
@@ -191,9 +165,7 @@ Identical to `2.6`.
 
 #### Important
 
-PAT tokens by default have an expiration date, and if/when this token expires it
-**must** be updated by creating a new CirrusCI 'Secured Variable' and modifying
-the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
+PAT tokens by default have an expiration date, and if/when this token expires it **must** be updated by creating a new CirrusCI 'Secured Variable' and modifying the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
 
 #### Ownership
 
@@ -278,9 +250,7 @@ Identical to `2.6`.
 
 #### Important
 
-PAT tokens by default have an expiration date, and if/when this token expires it
-**must** be updated by creating a new CirrusCI 'Secured Variable' and modifying
-the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
+PAT tokens by default have an expiration date, and if/when this token expires it **must** be updated by creating a new CirrusCI 'Secured Variable' and modifying the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
 
 #### Ownership
 
@@ -289,10 +259,7 @@ the variable within `.cirrus.yml` in `pulsar-edit/pulsar`.
 
 ## 4. Google Cloud: Secret Manager
 
-The following secrets are stored in GCP's 'Secret Manager'. To access you **must**
-be added to the 'pulsar' GCP project.
-To modify any of these secrets you **must** be given `secretmanager.secrets.update`
-permissions within GCP.
+The following secrets are stored in GCP's 'Secret Manager'. To access you **must** be added to the 'pulsar' GCP project. To modify any of these secrets you **must** be given `secretmanager.secrets.update` permissions within GCP.
 
 ### 4.1 `ASC_MICROSERVICE_DB_DB`
 
@@ -300,14 +267,11 @@ permissions within GCP.
 
 The database name for Pulsar's Package Registry Database.
 
-This is used by the `pulsar-edit/package-frontend` microservice `auth-state-cleanup`
-to preform periodic cleanup of saved `state` keys used to protect against cross-site
-request forgery attacks during the GitHub OAuth signup flow.
+This is used by the `pulsar-edit/package-frontend` microservice `auth-state-cleanup` to preform periodic cleanup of saved `state` keys used to protect against cross-site request forgery attacks during the GitHub OAuth signup flow.
 
 #### Important
 
-The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard, under
-the 'Connection Pools' tab. As this is the 'table' that the microservice connects to.
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard, under the 'Connection Pools' tab. As this is the 'table' that the microservice connects to.
 
 #### Ownership
 
@@ -323,9 +287,7 @@ Identical to `4.1`.
 
 #### Important
 
-The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
-under the 'Overview' tab under 'Connection Details'. As this DigitalOcean
-controls the hostname we connect to.
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard, under the 'Overview' tab under 'Connection Details'. As this DigitalOcean controls the hostname we connect to.
 
 #### Ownership
 
@@ -341,8 +303,7 @@ Identical to `4.1`.
 
 #### Important
 
-The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
-under the 'Users & Databases' tab. As this defines the user's available.
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard, under the 'Users & Databases' tab. As this defines the user's available.
 
 #### Ownership
 
@@ -358,9 +319,7 @@ Identical to `4.1`.
 
 #### Important
 
-The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
-under the 'Overview' tab under 'Connection Details'. As this DigitalOcean
-controls the port we connect to.
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard, under the 'Overview' tab under 'Connection Details'. As this DigitalOcean controls the port we connect to.
 
 #### Ownership
 
@@ -376,9 +335,7 @@ Identical to `4.1`.
 
 #### Important
 
-The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard,
-under the 'Overview' tab under 'Connection Details'. As this DigitalOcean
-controls the SSL certificate we use.
+The value here is defined in DigitalOcean's `db-pgsql-pulsar` dashboard, under the 'Overview' tab under 'Connection Details'. As this DigitalOcean controls the SSL certificate we use.
 
 #### Ownership
 
@@ -404,14 +361,11 @@ N/A
 
 #### Description
 
-The Webhook URL used to post to the `#donations` Discord channel as the user `GitHub Sponsors`.
-This URL is used by the `pulsar-edit/package-frontend` microservice `webhooks`
-to post modified webhooks from GitHub Sponsors, more about this process in 4.9.
+The Webhook URL used to post to the `#donations` Discord channel as the user `GitHub Sponsors`. This URL is used by the `pulsar-edit/package-frontend` microservice `webhooks` to post modified webhooks from GitHub Sponsors, more about this process in 4.9.
 
 #### Important
 
-This will likely never change, but it's value is stored in the Pulsar Discord Server:
-Server Settings > Apps > Integrations > Webhooks > GitHub Sponsors
+This will likely never change, but it's value is stored in the Pulsar Discord Server: Server Settings > Apps > Integrations > Webhooks > GitHub Sponsors
 
 #### Ownership
 
@@ -421,18 +375,15 @@ The value of this URL is owned and controlled by Discord.
 
 #### Description
 
-A GitHub PAT token with zero permissions. This token is used so that the `pulsar-edit/frontend`
-microservice `download` has higher rate limits against the GitHub API.
+A GitHub PAT token with zero permissions. This token is used so that the `pulsar-edit/frontend` microservice `download` has higher rate limits against the GitHub API.
 
 #### Important
 
-PAT tokens by default have an expiration date, and if/when this token expires it
-**must** be updated by updating the value in GCP's Secret Manager Dashboard.
+PAT tokens by default have an expiration date, and if/when this token expires it **must** be updated by updating the value in GCP's Secret Manager Dashboard.
 
 #### Permissions
 
-This token requires **zero** permissions, as it doesn't access any organization
-specific resources.
+This token requires **zero** permissions, as it doesn't access any organization specific resources.
 
 #### Ownership
 
@@ -445,22 +396,15 @@ specific resources.
 
 A secret token that validates a legit webhook request from Github.
 
-This token is a random string manually inserted into the webhook details for Pulsar's
-GitHub Sponsors webhook. The same exact token is then used in this variable
-on GCP, so that when the `webhook` microservice receives a request it can check
-if the two tokens match, so that it knows the request came from GitHub.
+This token is a random string manually inserted into the webhook details for Pulsar's GitHub Sponsors webhook. The same exact token is then used in this variable on GCP, so that when the `webhook` microservice receives a request it can check if the two tokens match, so that it knows the request came from GitHub.
 
-If it did, it will then modify the webhook data to be compatible in Discord, so
-that GitHub Sponsors alerts can be sent in the `#donations` Discord channel.
+If it did, it will then modify the webhook data to be compatible in Discord, so that GitHub Sponsors alerts can be sent in the `#donations` Discord channel.
 
 #### Important
 
-It's best to avoid ever changing this value. As it **must** be changed along with
-the token used in the GitHub Sponsors Webhook settings (which are different than
-GitHub Webhook settings).
+It's best to avoid ever changing this value. As it **must** be changed along with the token used in the GitHub Sponsors Webhook settings (which are different than GitHub Webhook settings).
 
-If changed, this value is currently a random string, and is consumed by
-the `pulsar-edit/package-frontend` microservice `webhooks`.
+If changed, this value is currently a random string, and is consumed by the `pulsar-edit/package-frontend` microservice `webhooks`.
 
 #### Ownership
 

From f2e4e04ce229e13614d8d2f6495fbbd09eb7c005 Mon Sep 17 00:00:00 2001
From: confused-Techie <dev@lhbasics.com>
Date: Mon, 1 Sep 2025 00:38:21 -0700
Subject: [PATCH 15/15] Change `Last Updated` to `Accurate as of`

This is meant to address feedback and attempt to better show what this datapoint is supposed to represent. We can always consider fully removing this in the future if we find it pointless to keep.
---
 guides/runbooks/secrets.md | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/guides/runbooks/secrets.md b/guides/runbooks/secrets.md
index 74750bd..ed0a832 100644
--- a/guides/runbooks/secrets.md
+++ b/guides/runbooks/secrets.md
@@ -20,7 +20,7 @@ The secret has very limited _visibility_, only being visible to the repositories
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: confused-Techie
 
 ## 2 `pulsar-edit/pulsar` Repository Level Secrets
@@ -41,7 +41,7 @@ These permissions will fail if the developer has not agreed to the newest Apple
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: meadowsys
 
 ### 2.2 `APPLEID_PASSWORD`
@@ -56,7 +56,7 @@ These permissions will fail if the developer has not agreed to the newest Apple
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: meadowsys
 
 ### 2.3 `CSC_KEY_PASSWORD`
@@ -71,7 +71,7 @@ These permissions will fail if the developer has not agreed to the newest Apple
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: meadowsys
 
 ### 2.4 `CSC_LINK`
@@ -86,7 +86,7 @@ These permissions will fail if the developer has not agreed to the newest Apple
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: meadowsys
 
 ### 2.5 `ELECTRON_NEXT_BINARIES_UPLOAD_TOKEN`
@@ -101,7 +101,7 @@ PAT tokens by default have an expiration date, and if/when this token expires it
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: DeeDeeG
 
 ### 2.6 `ROLLING_RELEASE_UPLOAD_TOKEN`
@@ -116,7 +116,7 @@ PAT tokens by default have an expiration date, and if/when this token expires it
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: DeeDeeG
 
 ### 2.7 `TEAM_ID`
@@ -131,7 +131,7 @@ These permissions will fail if the developer has not agreed to the newest Apple
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: meadowsys
 
 ## 3. CirrusCI Secrets
@@ -154,7 +154,7 @@ This token requires **zero** permissions, as it doesn't access any organization
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: DeeDeeG
 
 ### 3.2 `ROLLING_UPLOAD_TOKEN`
@@ -169,7 +169,7 @@ PAT tokens by default have an expiration date, and if/when this token expires it
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: DeeDeeG
 
 ### 3.3 `CSC_LINK`
@@ -254,7 +254,7 @@ PAT tokens by default have an expiration date, and if/when this token expires it
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: DeeDeeG
 
 ## 4. Google Cloud: Secret Manager
@@ -387,7 +387,7 @@ This token requires **zero** permissions, as it doesn't access any organization
 
 #### Ownership
 
-- Last Updated: August 2025
+- Accurate as of: August 2025
 - Who: confused-Techie
 
 ### 4.9 `WEBHOOKS_MICROSERVICE_TOKEN`