Trigger.dev Deployment Guard

Security gate that prevents secrets and API keys from being committed to Git or deployed. This check is MANDATORY before any commit, push, or deploy in a Trigger.dev project.

When to Use

• Before running npx trigger.dev deploy
• Before committing code in a project that contains trigger.config.ts
• Before pushing code to a remote repository
• When the user asks to "deploy", "go live", "push", or "commit" in a Trigger.dev project
• When creating a new Trigger.dev project (to ensure secure setup)

Security Check Process

Step 1: Secret Scan

Use the Grep tool to scan ALL project files (excluding node_modules/, package-lock.json, .git/) for these patterns:

Trigger.dev Keys:

tr_dev_[a-zA-Z0-9]
tr_prod_[a-zA-Z0-9]
TRIGGER_SECRET_KEY=tr_

Generic API Keys and Secrets:

api[_-]?key\s*[:=]\s*["'][^"']{8,}
password\s*[:=]\s*["'][^"']+
secret\s*[:=]\s*["'][^"']+
Bearer [a-zA-Z0-9+/=]{20,}
sk_live_[a-zA-Z0-9]
sk_test_[a-zA-Z0-9]

Base64-encoded secrets (common in MCP configs): Look for base64 strings longer than 40 characters in .ts, .js, .json files (excluding package-lock.json). These often indicate encoded API keys.

Files to scan: *.ts, *.js, *.json, *.yaml, *.yml, *.env*, *.config.* Files to SKIP: node_modules/, package-lock.json, .git/, dist/, .trigger/

If ANY secret pattern is found: STOP. Do NOT proceed with commit/deploy. Report the finding with exact file, line number, and matched pattern. Instruct the user to:

1. Move the secret to Trigger.dev Dashboard → Environment Variables
2. Replace the hardcoded value with process.env.VARIABLE_NAME
3. If the secret was already committed: warn that Git history contains the secret

Step 2: Git Safety Check

Check .gitignore exists and contains required entries:

Use the Read tool on .gitignore. It MUST contain ALL of these:

• .env or .env*
• node_modules/
• .trigger/
• dist/

If any entry is missing: STOP. Add the missing entries to .gitignore before proceeding.

Check for tracked .env files:

Run: git ls-files '*.env*'

If ANY .env file is tracked by Git: STOP. Instruct the user:

1. git rm --cached .env (removes from Git tracking without deleting the file)
2. Verify .gitignore has .env*
3. Commit the removal: git commit -m "Remove tracked .env files"
4. WARN: "The .env file is still in Git history. If it contained real secrets, consider them compromised."

Step 3: Trigger.dev Config Validation

Check trigger.config.ts exists. If not, this is not a Trigger.dev project — skip remaining steps.

Read trigger.config.ts and verify:

• Has a project field with a valid project reference
• Does NOT contain any hardcoded API keys, tokens, or secrets
• Uses process.env.* for any sensitive values

Step 4: Pre-Deploy Reminder

Before deploying, display this reminder to the user:

Pre-Deploy Checklist:
- [ ] All secrets are set in Trigger.dev Dashboard → Environment Variables
- [ ] No secrets in code (Step 1 passed)
- [ ] .gitignore is correct (Step 2 passed)
- [ ] trigger.config.ts is clean (Step 3 passed)
- [ ] Local test with `npx trigger.dev dev` was successful

Ready to deploy? Running: npx trigger.dev deploy

Step 5: Report

If all checks pass (GREEN):

Security Check PASSED. No secrets found in code.
- Files scanned: [count]
- .gitignore: valid
- .env files: not tracked
- trigger.config.ts: clean
Safe to proceed with [commit/deploy].

If any check fails (RED):

SECURITY CHECK FAILED. DO NOT proceed.

Issues found:
[List each issue with file, line, and fix instruction]

Fix all issues above before committing or deploying.

Important Rules

• NEVER skip this check. Even if the user says "just deploy it" or "it's fine" — run the check first.
• Secrets in Git history are compromised. If a secret was committed even once, it must be rotated (new key generated) even after removal.
• .env.example is safe to commit — it should contain placeholder values like YOUR_KEY_HERE, never real secrets.
• Task payloads are visible in the Trigger.dev dashboard. Never pass secrets as task parameters — use process.env.* inside the task instead.