Add GitHub Actions workflows and update .env config

Introduces three new GitHub Actions workflows for nightly backups, deployment to Hugging Face Spaces, and syncing knowledge to Supabase/pgvector. Updates the .env configuration to move sensitive credentials to secrets, add runtime and logging options, and improve security by removing hardcoded secrets and clarifying usage of environment variables.

.github/workflows/backup-workflows.yml

@@ -0,0 +1,36 @@
+name: Nightly Backup (DB + Workflows)
+
+on:
+  schedule:
+    - cron: "23 2 * * *" # daily at 02:23 UTC
+  workflow_dispatch:
+
+jobs:
+  backup:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Postgres client
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y postgresql-client
+
+      - name: Run backup script
+        env:
+          DB_HOST: ${{ secrets.DB_HOST }}
+          DB_PORT: ${{ secrets.DB_PORT }}
+          DB_NAME: ${{ secrets.DB_NAME }}
+          DB_USER: ${{ secrets.DB_USER }}
+          DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+          N8N_BASE_URL: ${{ secrets.N8N_BASE_URL }}
+          N8N_API_KEY: ${{ secrets.N8N_API_KEY }}
+        run: |
+          chmod +x scripts/backup.sh
+          ./scripts/backup.sh
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: n8n-backup
+          path: workflows/backup/**

.github/workflows/deploy-to-hf.yml

@@ -0,0 +1,29 @@
+name: Deploy to Hugging Face Space
+
+on:
+  push:
+    branches: ["main"]
+    tags:
+      - "n8n-v*"
+  workflow_dispatch:
+
+jobs:
+  push-to-hf-space:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure Git
+        run: |
+          git config user.name "ci-bot"
+          git config user.email "[email protected]"
+
+      - name: Push to HF Space repo
+        env:
+          HF_TOKEN: ${{ secrets.HF_TOKEN }}
+        run: |
+          # TODO: replace with your Space path
+          HF_SPACE_REPO="https://huggingface.co/spaces/danilonovais/n8n-dan"
+          git remote add hf "https://user:${HF_TOKEN}@${HF_SPACE_REPO#https://}"
+          git push hf HEAD:main --force

.github/workflows/sync-knowledge.yml

@@ -0,0 +1,30 @@
+name: Sync Knowledge (GitHub → Supabase/pgvector)
+
+on:
+  schedule:
+    - cron: "17 */6 * * *"   # every 6h
+  workflow_dispatch:
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install deps
+        run: npm ci || npm i
+
+      - name: Run sync script
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
+          SUPABASE_SERVICE_ROLE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }}
+          KNOWLEDGE_REPO_URL: ${{ secrets.KNOWLEDGE_REPO_URL }}
+          KNOWLEDGE_DIRS: ${{ secrets.KNOWLEDGE_DIRS }}
+        run: |
+          node scripts/sync-knowledge.mjs

config/.env

@@ -5,7 +5,16 @@
 N8N_ENCRYPTION_KEY=wzU4MDO5k77AsKSU10gZILj7qkxQzoYD
 N8N_USER_MANAGEMENT_JWT_SECRET=rwTS25Uo0hKYcArORBS7mIMYXyo4A3av
 N8N_HOST=danilonovais-n8n-dan.hf.space
-WEBHOOK_URL=https://danilonovais-n8n-dan.hf.space
+N8N_PUBLIC_API_DISABLED=false
+N8N_LOG_LEVEL=info
+N8N_METRICS=true
+QUEUE_BULL_REDIS_DISABLED=true
+EXECUTIONS_MODE=regular
+EXECUTIONS_DATA_SAVE_ON_ERROR=all
+EXECUTIONS_DATA_SAVE_ON_SUCCESS=none
+EXECUTIONS_DATA_PRUNE=true
+EXECUTIONS_DATA_MAX_AGE=336
+WEBHOOK_URL=https://danilonovais-n8n-dan.hf.space/
 
 # ===== DATABASE CONFIGURATION =====
 DB_TYPE=postgresdb
@@ -13,24 +22,31 @@ DB_POSTGRESDB_HOST=aws-1-sa-east-1.pooler.supabase.com
 DB_POSTGRESDB_PORT=6543
 DB_POSTGRESDB_DATABASE=postgres
 DB_POSTGRESDB_USER=postgres.vkgwjmvekrlrjybbmtks
-DB_POSTGRESDB_PASSWORD=An@10011982@@
+DB_POSTGRESDB_SCHEMA=public
+# NOTE: Keep DB password only in HF Space Secrets (runtime)
+DB_POSTGRESDB_PASSWORD=
 DB_POSTGRESDB_SSL=true
+DB_POSTGRESDB_SSL_REJECT_UNAUTHORIZED=false
 
 # ===== DEPLOYMENT CONFIGURATION =====
-HF_TOKEN=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
+ # NOTE: Move HF_TOKEN to GitHub Actions Secrets (not used by runtime container)
+HF_TOKEN=
 HF_SPACE_NAME=danilonovais/n8n-dan
-GITHUB_TOKEN=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
+ # NOTE: Move GITHUB_TOKEN to GitHub Actions Secrets (not used by runtime container)
+GITHUB_TOKEN=
 
 # ===== AI INTEGRATIONS =====
 GOOGLE_PROJECT_ID=peppy-flame-468203-e0
 GOOGLE_CREDENTIALS_PATH=/home/node/.n8n/credentials/google-service-account.json
-OPENAI_API_KEY=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
-ANTHROPIC_API_KEY=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
+GOOGLE_APPLICATION_CREDENTIALS=/home/node/.n8n/credentials/google-service-account.json
+# NOTE: Keep AI/API keys in HF Space Secrets (runtime) and/or GitHub Actions Secrets
+OPENAI_API_KEY=
+ANTHROPIC_API_KEY=
 VERTEX_AI_PROJECT=n8n-workflows
 VERTEX_AI_LOCATION=us-central1
 
 # ===== VECTOR STORE CONFIGURATION =====
-CHROMA_AUTH_TOKEN=ck-EDcCL7iYVGiP3RjdvqY5RgeXjJrwHFHfYvNSQEZaJ12Q
+CHROMA_AUTH_TOKEN=
 CHROMA_HOST=api.chroma.com
 CHROMA_PORT=443
 
@@ -49,10 +65,10 @@ SENTRY_DSN=your-sentry-dsn (optional)
 # ===== BACKUP CONFIGURATION =====
 BACKUP_SCHEDULE=0 2 * * *
 BACKUP_RETENTION_DAYS=30
-BACKUP_ENCRYPTION_PASSWORD=An@10011982@@
+BACKUP_ENCRYPTION_PASSWORD=
 
 # ===== SECURITY =====
-ALLOWED_ORIGINS=https://danilonovais-n8n-dan.hf.space,https://meudominio.com
-CSRF_SECRET=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32 ; echo)
+ALLOWED_ORIGINS=https://danilonovais-n8n-dan.hf.space
+CSRF_SECRET=REPLACE_WITH_RANDOM_32_64_CHAR_STRING
 RATE_LIMIT_WINDOW=15
 RATE_LIMIT_MAX=100