Update docs to use APPSETTINGS_JSON secret

Author: mythz

content/docs/configuration.mdx

@@ -45,30 +45,40 @@ services.AddSingleton<IEmailSender<ApplicationUser>, EmailSender>();
 
 ### App Settings Secrets
 
-Instead of polluting each GitHub Repository with multiple App-specific GitHub Action Secrets, you can save all your secrets in a single `APPSETTINGS_PATCH` GitHub Action Secret to patch `appsettings.json` with environment-specific configuration using [JSON Patch](https://jsonpatch.com). E.g:
+Instead of polluting each GitHub Repository with multiple App-specific GitHub Action Secrets, you can save all your secrets in a single `APPSETTINGS_JSON` GitHub Action Secret which will get written inside the Docker container `appsettings.Production.json`, e.g:
 
 ```json
-[
-    {
-        "op":"replace",
-        "path":"/ConnectionStrings/DefaultConnection",
-        "value":"Server=service-postgres;Port=5432;User Id=dbuser;Password=dbpass;Database=dbname;Pooling=true;"
-    },
-    { "op":"add", "path":"/SmtpConfig", "value":{
-        "UserName": "SmtpUser",
-        "Password": "SmtpPass",
-        "Host": "email-smtp.us-east-1.amazonaws.com",
-        "Port": 587,
-        "From": "[email protected]",
-        "FromName": "MyApp",
-        "Bcc": "[email protected]"
-      } 
-    },
-    { "op":"add", "path":"/Admins", "value": ["[email protected]","[email protected]"] },
-    { "op":"add", "path":"/CorsFeature/allowOriginWhitelist/-", "value":"https://servicestack.net" }
-]
+{
+  "ConnectionStrings": {
+    "DefaultConnection": "Server=service-postgres;Port=5432;User Id=dbuser;Password=dbpass;Database=dbname;Pooling=true;"
+  },
+  "SmtpConfig": {
+      "UserName": "SmtpUser",
+      "Password": "SmtpPass",
+      "Host": "email-smtp.us-east-1.amazonaws.com",
+      "Port": 587,
+      "From": "[email protected]",
+      "FromName": "MyApp",
+      "Bcc": "[email protected]"
+    } 
+  },
+  "Admins": ["[email protected]","[email protected]"]
+}
+```
+
+After changing `appsettings.Production.json` update your `APPSETTINGS_JSON` GitHub Action Secret with:
+
+```bash
+npm run secret:prod
+```
+
+This uses the GitHub CLI to add your `appsettings.Production.json` to your GitHub repository's Action secrets:
+
+```bash
+gh secret set APPSETTINGS_JSON < appsettings.Production.json
 ```
 
+
 ### SMTP Email
 
 Enable email sending by uncommenting in `Program.cs`:
@@ -95,38 +105,37 @@ npx add-in db-identity
 
 ### App Settings Secrets
 
-You could register any App-specific secrets here, although our preference is instead of polluting each 
-GitHub Repository with multiple App-specific GitHub Action Secrets, you can save all your secrets in a single 
-`APPSETTINGS_PATCH` GitHub Action Secret to patch `appsettings.json` with environment-specific configuration 
-using [JSON Patch](https://jsonpatch.com). E.g:
+You could register any App-specific secrets here, although our preference is to instead save all your secrets in a single `APPSETTINGS_JSON` GitHub Action Secret which will get written inside the Docker container `appsettings.Production.json`, e.g:
+
+```json
+{
+  "ConnectionStrings": {
+    "DefaultConnection": "Server=service-postgres;Port=5432;User Id=dbuser;Password=dbpass;Database=dbname;Pooling=true;"
+  },
+  "SmtpConfig": {
+      "UserName": "SmtpUser",
+      "Password": "SmtpPass",
+      "Host": "email-smtp.us-east-1.amazonaws.com",
+      "Port": 587,
+      "From": "[email protected]",
+      "FromName": "MyApp",
+      "Bcc": "[email protected]"
+    } 
+  },
+  "Admins": ["[email protected]","[email protected]"]
+}
+```
+
+After changing `appsettings.Production.json` update your `APPSETTINGS_JSON` GitHub Action Secret with:
 
 ```bash
-# JSON Patch to apply to appsettings.json:
-gh secret set APPSETTINGS_PATCH [json-patch]
+npm run secret:prod
 ```
 
-JSON Patch example:
+This uses the GitHub CLI to add your `appsettings.Production.json` to your GitHub repository's Action secrets:
 
-```json
-[
-    {
-        "op":"replace",
-        "path":"/ConnectionStrings/DefaultConnection",
-        "value":"Server=service-postgres;Port=5432;User Id=dbuser;Password=dbpass;Database=dbname"
-    },
-    { "op":"add", "path":"/SmtpConfig", "value":{
-        "UserName": "SmtpUser",
-        "Password": "SmtpPass",
-        "Host": "email-smtp.us-east-1.amazonaws.com",
-        "Port": 587,
-        "From": "[email protected]",
-        "FromName": "MyApp",
-        "Bcc": "[email protected]"
-      } 
-    },
-    { "op":"add", "path":"/Admins", "value": ["[email protected]","[email protected]"] },
-    { "op":"add", "path":"/CorsFeature/allowOriginWhitelist/-", "value":"https://servicestack.net" }
-]
+```bash
+gh secret set APPSETTINGS_JSON < appsettings.Production.json
 ```
 
 ### Kamal Accessories

content/docs/deployments.mdx

@@ -57,40 +57,65 @@ The only secret that needs to be configured per App is:
 gh secret set KAMAL_DEPLOY_HOST <www.example.org>
 ```
 
-You could register any App-specific secrets here, although our preference is instead of polluting each 
-GitHub Repository with multiple App-specific GitHub Action Secrets, you can save all your secrets in a single 
-`APPSETTINGS_PATCH` GitHub Action Secret to patch `appsettings.json` with environment-specific configuration 
-using [JSON Patch](https://jsonpatch.com). E.g:
+### App Settings Secrets
+
+You could register any App-specific secrets here, although our preference is to instead save all your secrets in a single `APPSETTINGS_JSON` GitHub Action Secret which will get written inside the Docker container `appsettings.Production.json`, e.g:
+
+```json
+{
+  "ConnectionStrings": {
+    "DefaultConnection": "Server=service-postgres;Port=5432;User Id=dbuser;Password=dbpass;Database=dbname;Pooling=true;"
+  },
+  "SmtpConfig": {
+      "UserName": "SmtpUser",
+      "Password": "SmtpPass",
+      "Host": "email-smtp.us-east-1.amazonaws.com",
+      "Port": 587,
+      "From": "[email protected]",
+      "FromName": "MyApp",
+      "Bcc": "[email protected]"
+    } 
+  },
+  "Admins": ["[email protected]","[email protected]"]
+}
+```
+
+After changing `appsettings.Production.json` update your `APPSETTINGS_JSON` GitHub Action Secret with:
 
 ```bash
-# JSON Patch to apply to appsettings.json:
-gh secret set APPSETTINGS_PATCH [json-patch]
+npm run secret:prod
 ```
 
-JSON Patch example:
+This uses the GitHub CLI to add your `appsettings.Production.json` to your GitHub repository's Action secrets:
 
-```json
-[
-    {
-        "op":"replace",
-        "path":"/ConnectionStrings/DefaultConnection",
-        "value":"Server=service-postgres;Port=5432;User Id=dbuser;Password=dbpass;Database=dbname"
-    },
-    { "op":"add", "path":"/SmtpConfig", "value":{
-        "UserName": "SmtpUser",
-        "Password": "SmtpPass",
-        "Host": "email-smtp.us-east-1.amazonaws.com",
-        "Port": 587,
-        "From": "[email protected]",
-        "FromName": "MyApp",
-        "Bcc": "[email protected]"
-      } 
-    },
-    { "op":"add", "path":"/Admins", "value": ["[email protected]","[email protected]"] },
-    { "op":"add", "path":"/CorsFeature/allowOriginWhitelist/-", "value":"https://servicestack.net" }
-]
+```bash
+gh secret set APPSETTINGS_JSON < appsettings.Production.json
 ```
 
+**How It Works:**
+
+1. **Development** - Create `appsettings.Production.json` locally with your production configuration
+2. **Upload** - Run `npm run secret:prod` to store it as a GitHub Action secret (never committed to git)
+3. **Deployment** - GitHub Actions injects the secret as the `APPSETTINGS_JSON_BASE64` environment variable
+4. **Runtime** - The container startup script decodes and writes it to `/app/dotnet/appsettings.Production.json`
+5. **Isolation** - The file is written with root-only permissions, preventing Node.js access
+
+Configuration in [config/deploy.yml](https://github.com/NetCoreTemplates/next-rsc/blob/main/config/deploy.yml):
+
+```yaml
+# config/deploy.yml
+env:
+  secret:
+    - APPSETTINGS_JSON_BASE64  # Base64-encoded production config
+```
+
+**Benefits:**
+- Secrets never committed to git repository
+- Secrets never baked into Docker image layers
+- Same Docker image can be used across all environments
+- Production configuration remains isolated from Node.js process
+
+
 ### Inferred Variables
 
 These variables are inferred from the GitHub Action context and don't need to be configured.