Remove exposed .env file and add to .gitignore

[mattgperry]

Security fix: Remove accidentally committed .env file containing UPDATE_SECRET_TOKEN and add .env patterns to .gitignore to prevent future accidental commits of environment files.

[claude]

Security Review: Critical Issue - Exposed Secret Token

Summary

This PR addresses a critical security vulnerability where a secret token (UPDATE_SECRET_TOKEN) was accidentally committed to the repository. The fix is on the right track, but there are important additional steps required.

---

✅ What's Good

1. Immediate Action: Removing the .env file from the repository is the correct first step
2. Prevention: Adding comprehensive .env patterns to .gitignore will prevent future accidental commits:
   • .env - base environment file
   • .env.* - variants like .env.local, .env.production, etc.
3. Code Quality: The .gitignore patterns follow best practices

---

🚨 Critical Security Actions Required

The exposed token 9f458b886b794925ce3c511f81e9812bf68fbffee14b3f33cd is now in the Git history and must be considered compromised.

Immediate Actions Needed:

1. Rotate the Secret Token ⚠️ URGENT

   • The UPDATE_SECRET_TOKEN is used in scripts/notify-slack.js:87 to authenticate with the Slack API endpoint
   • Generate a new secret token immediately
   • Update it in your CI/CD environment (GitHub Secrets, or wherever it's configured for production)
   • The old token should be invalidated on the API side if possible

2. Remove from Git History (Optional but Recommended)

   • Even though this PR deletes the file, it remains in Git history
   • Anyone with access to the repository can view the commit history and retrieve the token
   • Consider using tools like git filter-branch or BFG Repo-Cleaner to completely remove it from history
   • Note: This requires force-pushing and coordinating with all contributors

3. Audit Recent Activity

   • Check logs on https://api.motion.dev/slack/update for any unauthorized usage of this token
   • Review any Slack messages sent to ensure no unauthorized notifications were sent

---

📋 Additional Recommendations

1. Example Environment File

   • Consider adding a .env.example file with placeholder values:

     UPDATE_SECRET_TOKEN=your-secret-token-here
     

   • This helps developers set up their local environment without exposing real secrets
   • Add to .gitignore any other patterns: .env.example should NOT be in .gitignore

2. Documentation

   • Add a comment in scripts/notify-slack.js or create README documentation about required environment variables
   • Document where to obtain/configure UPDATE_SECRET_TOKEN for authorized users

3. Dependency Check

   • Verify that dotenv is listed in package.json dependencies (referenced in scripts/notify-slack.js:4)

4. Consider Git Hooks

   • Add a pre-commit hook to prevent committing .env files
   • Tools like git-secrets or detect-secrets can help catch secrets before they're committed

---

Code Review - notify-slack.js

The usage of UPDATE_SECRET_TOKEN in scripts/notify-slack.js:87 is properly implemented:

• ✅ Loaded from environment variables
• ✅ Has fallback for dev mode
• ✅ Throws error if missing in production (scripts/notify-slack.js:89-92)
• ✅ Used in Authorization header (scripts/notify-slack.js:113)

---

Verdict

This PR should be merged to remove the exposed secret from the main branch, BUT the security incident response is incomplete.

Required before this is fully resolved:

• Rotate UPDATE_SECRET_TOKEN and update in production environment
• Verify no unauthorized API access occurred
• Consider scrubbing Git history

The .gitignore changes are solid and will prevent future incidents.

---

Severity: Critical (exposed API authentication token)
Priority: Merge immediately + complete token rotation

Great catch on finding this and addressing it promptly! 👍