# GitHub Secrets Setup for HubSpot Sync Cron **Last Updated:** 2026-03-06 Step-by-step guide for adding the `CRON_WEBHOOK_SECRET` to GitHub Secrets so the scheduled workflow can authenticate with the webhook endpoint. ## Quick Setup (2 Minutes) ### Step 1: Navigate to Repository Settings 1. Go to your GitHub repository: `https://github.com/YOUR_USERNAME/YOUR_REPO` 2. Click on **Settings** tab (top navigation bar) 3. In the left sidebar, click **Secrets and variables** → **Actions** ### Step 2: Add New Secret 1. Click **New repository secret** button (top right) 2. **Name:** `CRON_WEBHOOK_SECRET` 3. **Secret:** Enter the token value: - **Option A (Recommended):** Use the hardcoded fallback token from `v2/config/cron-webhook-config.php`: ``` cf5a877749d9c94e4d6c0bfee780d73b ``` - **Option B:** Generate a new token (must match what's in config file): ```bash openssl rand -hex 16 ``` 4. Click **Add secret** ### Step 3: Verify Secret is Added You should see `CRON_WEBHOOK_SECRET` listed in the "Repository secrets" section. ## Token Value The token value should match the hardcoded fallback in `v2/config/cron-webhook-config.php`: ```php if ($secretToken === '') { $secretToken = 'cf5a877749d9c94e4d6c0bfee780d73b'; } ``` **Current hardcoded token:** `cf5a877749d9c94e4d6c0bfee780d73b` If you want to use a different token: 1. Update the hardcoded fallback in `v2/config/cron-webhook-config.php` 2. Update the GitHub Secret to match 3. Update any external cron services using the old token ## Testing After adding the secret, test the workflow: 1. Go to **Actions** tab 2. Select **HubSpot Sync Cron** workflow 3. Click **Run workflow** → **Run workflow** (manual trigger) 4. Check the workflow run logs to verify it calls the webhook successfully Expected output in logs: ``` HTTP Status: 200 Success: true Message: Sync completed successfully Partners Processed: 15 ``` ## Troubleshooting ### Secret Not Found Error **Error:** `Secret CRON_WEBHOOK_SECRET not found` **Solution:** - Verify secret name is exactly `CRON_WEBHOOK_SECRET` (case-sensitive) - Check you're adding it to the correct repository - Ensure you're in **Settings** → **Secrets and variables** → **Actions** (not Environment secrets) ### 401 Unauthorized Error **Error:** HTTP 401 in workflow logs **Solution:** - Verify the token in GitHub Secret matches the hardcoded fallback in `cron-webhook-config.php` - Check for extra spaces or newlines when copying the token - Token should be exactly 32 characters (hex) ### Workflow Not Running **Issue:** Scheduled workflow doesn't run automatically **Solution:** - GitHub Actions scheduled workflows only run if: - Repository is public, OR - Repository is private AND has GitHub Actions enabled AND has at least one workflow run in the past 30 days - Check **Settings** → **Actions** → **General** → **Workflow permissions** is set to "Read and write permissions" - Verify cron schedule syntax: `cron: '0 * * * *'` (every hour at minute 0) ## Security Notes - **GitHub Secrets are encrypted** and only accessible to workflows - Secret values are **never displayed** in logs (even if you echo them) - Secret is only used in the workflow environment, not exposed to the webhook endpoint - The webhook endpoint receives the token via query parameter (HTTPS only) ## Related Documentation - [CRON_WITHOUT_SERVER_ACCESS.md](CRON_WITHOUT_SERVER_ACCESS.md) - Quick reference guide - [WEBHOOK_CRON_SETUP.md](WEBHOOK_CRON_SETUP.md) - Detailed webhook setup - [CRON_INSTALLATION.md](CRON_INSTALLATION.md) - Complete installation guide