Skip to content

fix: add security warning for raw PRIVATE_KEY usage in launch-token guide#1374

Open
schoolkamsergj wants to merge 2 commits intobase:masterfrom
schoolkamsergj:fix/launch-token-private-key-warning
Open

fix: add security warning for raw PRIVATE_KEY usage in launch-token guide#1374
schoolkamsergj wants to merge 2 commits intobase:masterfrom
schoolkamsergj:fix/launch-token-private-key-warning

Conversation

@schoolkamsergj
Copy link
Copy Markdown

@schoolkamsergj schoolkamsergj commented May 1, 2026

Summary

Fixes #1357

The launch-token guide used vm.envUint("PRIVATE_KEY") to load a private key directly from a .env file, but provided no security warning about the risks — while the deploy-smart-contracts guide on the same site explicitly recommends cast wallet import deployer --interactive as the safer approach and warns: "Never share or commit your private key."

This inconsistency could lead developers (especially those new to Foundry) to accidentally expose their private keys in local .env files or commit them to version control.

Changes

Added a <Warning> callout directly before the .env configuration block in docs/get-started/launch-token.mdx:

  • Clearly states the raw PRIVATE_KEY approach is for local development and testing only
  • Warns never to commit .env or share the private key
  • Links to the deploy-smart-contracts guide for the recommended cast wallet import keystore approach

Why this matters

Both guides are in the same get-started section and developers often follow them together. Without this warning, a developer could reasonably assume the raw env var approach is acceptable for production — leading to potential key exposure.

This is a minimal, targeted fix that resolves the inconsistency without rewriting either guide.

@schoolkamsergj
fix: add security warning for raw PRIVATE_KEY usage in launch-token g…
5d666cf 
…uide

The launch-token guide used vm.envUint("PRIVATE_KEY") without any
security warning, while the deploy-smart-contracts guide explicitly
recommends cast wallet import (keystore) as the safer approach.

Added a Warning callout before the .env configuration block to:
- Alert developers that raw PRIVATE_KEY in .env is for local/testing only
- Recommend cast wallet import for production deployments
- Link to the deploy-smart-contracts guide for the secure approach

Fixes base#1357
@cb-heimdall
Copy link
Copy Markdown
Collaborator

cb-heimdall commented May 1, 2026
edited
Loading

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

@cb-heimdall
Copy link
Copy Markdown
Collaborator

cb-heimdall commented May 2, 2026

Review Error for Jhosepin @ 2026-05-02 00:35:39 UTC
User failed mfa authentication, either user does not exist or public email is not set on your github profile. \ see go/mfa-help

@knisaci
Copy link
Copy Markdown

knisaci commented May 2, 2026

Thanks for picking this up! I'd also suggest mentioning in the note that .env files should be added to .gitignore to prevent accidental key commits — might be worth adding while this is open.

@schoolkamsergj
Copy link
Copy Markdown
Author

schoolkamsergj commented May 2, 2026

Thanks for picking this up! I'd also suggest mentioning in the note that .env files should be added to .gitignore to prevent accidental key commits — might be worth adding while this is open.

Good point! I'll update the Warning block to also mention
adding .env to .gitignore. Will push the change shortly.

@schoolkamsergj
Update warning about .env file and PRIVATE_KEY
4aea646 
Added a reminder to include '.env' in .gitignore to prevent accidental key commits.
@schoolkamsergj
Copy link
Copy Markdown
Author

schoolkamsergj commented May 4, 2026

Done — updated the <Warning> block to explicitly mention adding .env to .gitignore. Thanks for the suggestion!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Jhosepin Jhosepin Jhosepin approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Launch a Token guide uses raw PRIVATE_KEY env variable, contradicting Deploy Smart Contracts guide's safer keystore approach

4 participants

@schoolkamsergj @cb-heimdall @knisaci @Jhosepin