Change CUSTOM_CONFIG to use secrets

[mmuzhi]

No description provided.

[Copilot]

Pull request overview

This PR updates the scheduled GitHub Actions workflow to source CUSTOM_CONFIG from GitHub Secrets instead of GitHub Repository Variables, aiming to keep custom configuration out of the public/less-protected variables mechanism.

Changes:

• Switch CUSTOM_CONFIG from ${{ vars.CUSTOM_CONFIG }} to ${{ secrets.CUSTOM_CONFIG }} in the main workflow.
• Update the keep-alive timestamp file.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/main.yml	Reads CUSTOM_CONFIG from GitHub Secrets instead of repository variables before generating config/custom.yaml.
.github/keep-alive.txt	Updates the “Last run” timestamp used to keep scheduled workflows active.

Comments suppressed due to low confidence (1)

.github/workflows/main.yml:33

• CUSTOM_CONFIG is now sourced from a GitHub Secret, but the workflow prints the resulting config/custom.yaml to logs via cat. Secret redaction is not guaranteed for multi-line/YAML content, so this can leak sensitive configuration. Avoid logging the file contents; if you need validation, log a checksum or only log in an explicitly enabled debug mode after masking.

          CUSTOM_CONFIG: ${{ secrets.CUSTOM_CONFIG }}
        run: |
          printf "%b\n" "$CUSTOM_CONFIG" > config/custom.yaml
          echo "Use custom config: "
          cat config/custom.yaml

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This change switches CUSTOM_CONFIG from a repo variable to a secret, but other references/documentation appear to still describe CUSTOM_CONFIG as a public variable (and other workflows may still read vars.CUSTOM_CONFIG). Please update the remaining workflow(s)/docs to use the same source to prevent confusing setup instructions and failures when running alternative workflows.