Trigger.dev Deployment Guard
Security gate that prevents secrets and API keys from being committed to Git or deployed. This check is MANDATORY before any commit, push, or deploy in a Trigger.dev project.
When to Use
-
Before running npx trigger.dev deploy
-
Before committing code in a project that contains trigger.config.ts
-
Before pushing code to a remote repository
-
When the user asks to "deploy", "go live", "push", or "commit" in a Trigger.dev project
-
When creating a new Trigger.dev project (to ensure secure setup)
Security Check Process
Step 1: Secret Scan
Use the Grep tool to scan ALL project files (excluding node_modules/ , package-lock.json , .git/ ) for these patterns:
Trigger.dev Keys:
tr_dev_[a-zA-Z0-9] tr_prod_[a-zA-Z0-9] TRIGGER_SECRET_KEY=tr_
Generic API Keys and Secrets:
api[-]?key\s*[:=]\s*["'][^"']{8,} password\s*[:=]\s*["'][^"']+ secret\s*[:=]\s*["'][^"']+ Bearer [a-zA-Z0-9+/=]{20,} sk_live[a-zA-Z0-9] sk_test_[a-zA-Z0-9]
Base64-encoded secrets (common in MCP configs): Look for base64 strings longer than 40 characters in .ts , .js , .json files (excluding package-lock.json ). These often indicate encoded API keys.
Files to scan: *.ts , *.js , *.json , *.yaml , *.yml , .env , .config.
Files to SKIP: node_modules/ , package-lock.json , .git/ , dist/ , .trigger/
If ANY secret pattern is found: STOP. Do NOT proceed with commit/deploy. Report the finding with exact file, line number, and matched pattern. Instruct the user to:
-
Move the secret to Trigger.dev Dashboard → Environment Variables
-
Replace the hardcoded value with process.env.VARIABLE_NAME
-
If the secret was already committed: warn that Git history contains the secret
Step 2: Git Safety Check
Check .gitignore exists and contains required entries:
Use the Read tool on .gitignore . It MUST contain ALL of these:
-
.env or .env*
-
node_modules/
-
.trigger/
-
dist/
If any entry is missing: STOP. Add the missing entries to .gitignore before proceeding.
Check for tracked .env files:
Run: git ls-files '.env'
If ANY .env file is tracked by Git: STOP. Instruct the user:
-
git rm --cached .env (removes from Git tracking without deleting the file)
-
Verify .gitignore has .env*
-
Commit the removal: git commit -m "Remove tracked .env files"
-
WARN: "The .env file is still in Git history. If it contained real secrets, consider them compromised."
Step 3: Trigger.dev Config Validation
Check trigger.config.ts exists. If not, this is not a Trigger.dev project — skip remaining steps.
Read trigger.config.ts and verify:
-
Has a project field with a valid project reference
-
Does NOT contain any hardcoded API keys, tokens, or secrets
-
Uses process.env.* for any sensitive values
Step 4: Pre-Deploy Reminder
Before deploying, display this reminder to the user:
Pre-Deploy Checklist:
- All secrets are set in Trigger.dev Dashboard → Environment Variables
- No secrets in code (Step 1 passed)
- .gitignore is correct (Step 2 passed)
- trigger.config.ts is clean (Step 3 passed)
- Local test with
npx trigger.dev devwas successful
Ready to deploy? Running: npx trigger.dev deploy
Step 5: Report
If all checks pass (GREEN):
Security Check PASSED. No secrets found in code.
- Files scanned: [count]
- .gitignore: valid
- .env files: not tracked
- trigger.config.ts: clean Safe to proceed with [commit/deploy].
If any check fails (RED):
SECURITY CHECK FAILED. DO NOT proceed.
Issues found: [List each issue with file, line, and fix instruction]
Fix all issues above before committing or deploying.
Important Rules
-
NEVER skip this check. Even if the user says "just deploy it" or "it's fine" — run the check first.
-
Secrets in Git history are compromised. If a secret was committed even once, it must be rotated (new key generated) even after removal.
-
.env.example is safe to commit — it should contain placeholder values like YOUR_KEY_HERE , never real secrets.
-
Task payloads are visible in the Trigger.dev dashboard. Never pass secrets as task parameters — use process.env.* inside the task instead.