# 5. Setting up project repository

Once you have set up your sfops repository, you need to configure your Salesforce project repository with the necessary variables and secrets.

## Variables & Secrets

Navigate to your project repository → **Settings** → **Secrets and variables** → **Actions**

### GitHub App Authentication

These credentials connect your project repository to the sfops-bot GitHub App:

| Variable                    | Type                | Value Type | Example           | Comments                                                                                                      |
| --------------------------- | ------------------- | ---------- | ----------------- | ------------------------------------------------------------------------------------------------------------- |
| SFOPSBOT\_APP\_ID           | Repository Variable | String     | 418222            | The App ID from [step 2](https://docs.flxbl.io/flxbl/sfops/self-managed-instances/setting-up/github-app)      |
| SFOPSBOT\_APP\_PRIVATE\_KEY | Repository Secret   | String     | -----BEGIN RSA... | The private key from [step 2](https://docs.flxbl.io/flxbl/sfops/self-managed-instances/setting-up/github-app) |

### sfops Configuration

Core settings for connecting your project to sfops infrastructure:

| Variable                 | Type                | Value Type | Example              | Comments                                                                                 |
| ------------------------ | ------------------- | ---------- | -------------------- | ---------------------------------------------------------------------------------------- |
| SFOPS\_DASHBOARD\_REPO   | Repository Variable | String     | your-org/dev-central | The Dev Central repository for this project                                              |
| SFOPS\_METRICS\_PROVIDER | Repository Variable | String     | datadog              | Metrics provider (datadog, newrelic, or splunk)                                          |
| BRANCHES                 | Repository Variable | Array      | \["main"]            | List of branches tracked in DevCentral dashboard (typically just your main/trunk branch) |

### Issue Tracker Integration (Optional)

If using Jira or other issue tracking:

| Variable                              | Type                | Value Type | Example                    | Comments                       |
| ------------------------------------- | ------------------- | ---------- | -------------------------- | ------------------------------ |
| SFOPS\_ISSUETRACKER\_URL\_BASE        | Repository Variable | String     | <https://jira.example.com> | Base URL of your issue tracker |
| SFOPS\_ISSUETRACKER\_WORKITEM\_FILTER | Repository Variable | String     | (FGK\|FFK)-\[0-9]{3,4}     | Regex pattern for issue IDs    |
| SFOPS\_JIRA\_USER                     | Repository Variable | String     | <username@jira.com>        | Jira username for integration  |
| SFOPS\_JIRA\_TOKEN                    | Repository Secret   | String     | jira\_token\_xyz           | Jira API token                 |

### Salesforce Authentication

Required for deployments and validations:

| Variable                | Type              | Value Type | Example     | Comments                                                       |
| ----------------------- | ----------------- | ---------- | ----------- | -------------------------------------------------------------- |
| DEVHUB\_SFDX\_AUTH\_URL | Repository Secret | String     | force://... | SFDX Auth URL of your deployment service account in production |

{% hint style="info" %}
**Tip**: The DEVHUB\_SFDX\_AUTH\_URL can be obtained by running:

```bash
sf org display --target-org <your-devhub-alias> --verbose --json
```

Look for the `sfdxAuthUrl` field in the output.
{% endhint %}

## Troubleshooting

### Docker Pull Errors - "denied" when pulling sfops images

If your workflows fail with errors like:

```
Error response from daemon: denied
```

when trying to pull `ghcr.io/YOUR_ORG/sfops:VERSION` or `ghcr.io/YOUR_ORG/sfops-lite:VERSION`, the Docker packages need to be configured for internal organization access.

**Solution 1: Configure Package Visibility (Preferred)**

After the first successful build in your sfops repository (step 4):

1. Navigate to your organization's packages: `https://github.com/orgs/YOUR_ORG/packages`
2. For both `sfops` and `sfops-lite` packages:
   * Click on the package name
   * Go to **Package settings**
   * In **Danger Zone**, click **Change package visibility**
   * Select **Internal** - Make this package visible to everyone in your organization
   * Type the package name to confirm
   * Click **I understand the consequences, change package visibility**

**Solution 2: Manage Actions Access (If visibility change is disabled)**

If you see "Setting is disabled by organization administrators" when trying to change visibility:

1. Navigate to your organization's packages: `https://github.com/orgs/YOUR_ORG/packages`
2. For both `sfops` and `sfops-lite` packages:
   * Click on the package name
   * Go to **Package settings**
   * Find **Manage Actions access** section
   * Under **Actions repository access**, click **Add Repository**
   * Add your project repository (e.g., `sf-core`)
   * Save the changes

This grants specific repository access to pull the packages even when they remain private.

{% hint style="danger" %}
**Note**: One of these solutions must be applied after the first successful workflow run that creates the packages. Until access is configured, project repositories cannot pull the Docker images.
{% endhint %}

{% hint style="warning" %}
These variables will be automatically set up during the setup of sfops in your repository by the FLXBL team. This guide is only applicable when you are setting up a self-managed instance of sfops.
{% endhint %}