feat: add validation to prevent secret names starting with GITHUB_

[Copilot]

Problem

Environment variable names starting with GITHUB_ are reserved by GitHub Actions and should not be used for custom secrets or configuration. Using these names can lead to conflicts and security issues in CI/CD environments.

Solution

Added validation to the environment configuration system that prevents the use of environment variable names starting with GITHUB_. The validation occurs early in the application startup process, before schema validation, ensuring problematic configurations are caught immediately.

Implementation Details

Core Changes

• lib/config/env.ts: Added validation in validateEnv() function to check for GITHUB_ prefixed environment variables
• lib/config/__tests__/config.test.ts: Added comprehensive test case to verify the validation works correctly

Validation Logic

1. Scans all environment variable names before Zod schema parsing
2. Identifies any variables starting with GITHUB_
3. Throws a clear error message listing all problematic variables
4. Provides actionable guidance to use different prefixes

Error Example

Environment validation failed:
Secret names must not start with GITHUB_ as this prefix is reserved by GitHub.
Found variables: GITHUB_SECRET, GITHUB_TOKEN

Please rename these variables to use a different prefix.

Testing

The implementation includes a focused test case that verifies:

• Variables with GITHUB_ prefix are correctly rejected
• Clear error messages are provided
• The validation integrates properly with the existing configuration system

Security Impact

This change prevents conflicts with GitHub Actions reserved environment variables and follows security best practices for secret management. The early validation ensures that misconfigured environments are detected during application startup rather than at runtime.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• fonts.googleapis.com
  • Triggering command: /usr/local/bin/node /home/REDACTED/work/streamvault/streamvault/node_modules/.pnpm/[email protected]_@babel+[email protected]_@opentelemetry+[email protected]_@playwright+[email protected]_react-d_97e969c4b1a46df1a391ef3aba8543fe/node_modules/next/dist/compiled/jest-worker/processChild.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

⚡ Performance Analysis

📦 Bundle Impact:

• Check for new dependencies that might increase bundle size
• Verify tree-shaking compatibility
• Consider lazy loading for large components

🎯 Core Web Vitals Considerations:

• LCP (Largest Contentful Paint): Ensure images are optimized
• FID (First Input Delay): Minimize JavaScript execution time
• CLS (Cumulative Layout Shift): Use proper sizing for media

📹 StreamVault Performance Tips:

• Use next/image for optimized image delivery
• Implement proper video preloading strategies
• Consider CDN caching for static assets
• Use React.memo for expensive rendering operations

🤖 Run lighthouse audits to validate performance impact.

[github-actions]

🤖 AI Code Review Analysis

📁 Files Changed:

• lib/config/__tests__/config.test.ts
• lib/config/env.ts

🔒 Security Analysis:

⚠️ Potential sensitive data detected - Please review for hardcoded secrets

🎯 Code Quality Analysis:

✅ Code follows StreamVault conventions

⚡ Performance Analysis:

✅ No obvious performance issues detected

🎬 StreamVault Specific Analysis:

🔐 Authentication code detected - Ensure proper security measures
📹 Streaming code detected - Verify performance optimizations
💳 Payment code detected - Ensure PCI compliance and security

📋 Recommendations:

• Run tests locally before pushing
• Update documentation if API changes
• Consider accessibility implications
• Test on multiple devices/browsers
• Review Core Web Vitals impact

---

🤖 This review was generated by GitHub Copilot AI. Please review suggestions carefully.

[github-actions]

⚡ Performance Analysis

📦 Bundle Impact:

• Check for new dependencies that might increase bundle size
• Verify tree-shaking compatibility
• Consider lazy loading for large components

🎯 Core Web Vitals Considerations:

• LCP (Largest Contentful Paint): Ensure images are optimized
• FID (First Input Delay): Minimize JavaScript execution time
• CLS (Cumulative Layout Shift): Use proper sizing for media

📹 StreamVault Performance Tips:

• Use next/image for optimized image delivery
• Implement proper video preloading strategies
• Consider CDN caching for static assets
• Use React.memo for expensive rendering operations

🤖 Run lighthouse audits to validate performance impact.

[github-actions]

🤖 AI Code Review Analysis

📁 Files Changed:

• lib/config/__tests__/config.test.ts
• lib/config/env.ts

🔒 Security Analysis:

⚠️ Potential sensitive data detected - Please review for hardcoded secrets

🎯 Code Quality Analysis:

✅ Code follows StreamVault conventions

⚡ Performance Analysis:

✅ No obvious performance issues detected

🎬 StreamVault Specific Analysis:

🔐 Authentication code detected - Ensure proper security measures
📹 Streaming code detected - Verify performance optimizations
💳 Payment code detected - Ensure PCI compliance and security

📋 Recommendations:

• Run tests locally before pushing
• Update documentation if API changes
• Consider accessibility implications
• Test on multiple devices/browsers
• Review Core Web Vitals impact

---

🤖 This review was generated by GitHub Copilot AI. Please review suggestions carefully.