diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 38059a08f..7ef32e8a0 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -21,26 +21,27 @@ jobs:
   deploy:
     name: Deploy release to staging
     runs-on: ubuntu-latest
+    environment: Staging
 
     steps:
       - name: Deploy release to staging
         env:
           # Non-sensitive
-          BACKEND_API_URL: ${{ vars.STAGING_BACKEND_API_URL }}
-          FRONTEND_URL: ${{ vars.STAGING_FRONTEND_URL }}
-          GOOGLE_CLIENT_ID: ${{ vars.STAGING_GOOGLE_CLIENT_ID }}
+          BACKEND_API_URL: ${{ vars.BACKEND_API_URL }}
+          FRONTEND_URL: ${{ vars.FRONTEND_URL }}
+          GOOGLE_CLIENT_ID: ${{ vars.GOOGLE_CLIENT_ID }}
           RELEASE_TAG: ${{ inputs.tag }}
-          SSH_USER: ${{ vars.STAGING_SSH_USER }}
-          SSH_HOST: ${{ vars.STAGING_SSH_HOST }}
+          SSH_USER: ${{ vars.SSH_USER }}
+          SSH_HOST: ${{ vars.SSH_HOST }}
           # Sensitive
-          COMPASS_SYNC_TOKEN: ${{ secrets.STAGING_COMPASS_SYNC_TOKEN }}
-          GCAL_NOTIFICATION_TOKEN: ${{ secrets.STAGING_GCAL_NOTIFICATION_TOKEN }}
-          GOOGLE_CLIENT_SECRET: ${{ secrets.STAGING_GOOGLE_CLIENT_SECRET }}
-          MONGO_PASSWORD: ${{ secrets.STAGING_MONGO_PASSWORD }}
-          MONGO_REPLICA_SET_KEY: ${{ secrets.STAGING_MONGO_REPLICA_SET_KEY }}
-          SSH_KEY: ${{ secrets.STAGING_SSH_KEY }}
-          SUPERTOKENS_KEY: ${{ secrets.STAGING_SUPERTOKENS_KEY }}
-          SUPERTOKENS_POSTGRES_PASSWORD: ${{ secrets.STAGING_SUPERTOKENS_POSTGRES_PASSWORD }}
+          COMPASS_SYNC_TOKEN: ${{ secrets.COMPASS_SYNC_TOKEN }}
+          GCAL_NOTIFICATION_TOKEN: ${{ secrets.GCAL_NOTIFICATION_TOKEN }}
+          GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
+          MONGO_PASSWORD: ${{ secrets.MONGO_PASSWORD }}
+          MONGO_REPLICA_SET_KEY: ${{ secrets.MONGO_REPLICA_SET_KEY }}
+          SSH_KEY: ${{ secrets.SSH_KEY }}
+          SUPERTOKENS_KEY: ${{ secrets.SUPERTOKENS_KEY }}
+          SUPERTOKENS_POSTGRES_PASSWORD: ${{ secrets.SUPERTOKENS_POSTGRES_PASSWORD }}
         run: |
           # Strip 'v' prefix for Docker image tags (v0.5.18 -> 0.5.18)
           IMAGE_VERSION="${RELEASE_TAG#v}"
@@ -81,7 +82,7 @@ jobs:
             "  clientSecret: \"${GOOGLE_CLIENT_SECRET}\"" \
             "  notificationToken: \"${GCAL_NOTIFICATION_TOKEN}\"" \
             | ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" \
-                "umask 077 && mkdir -p ~/compass && cat > ~/compass/compass.yaml"
+                "umask 077 && mkdir -p ~/compass && cat > ~/compass/compass.yaml && chmod 644 ~/compass/compass.yaml"
           ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "curl -fsSL https://raw.githubusercontent.com/SwitchbackTech/compass/${RELEASE_TAG}/self-host/compose.yaml -o ~/compass/compose.yaml"
           ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "curl -fsSL https://raw.githubusercontent.com/SwitchbackTech/compass/${RELEASE_TAG}/self-host/compass -o ~/compass/compass && chmod +x ~/compass/compass"
           ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "cd ~/compass && ./compass update"
diff --git a/docs/CI-CD/workflows.md b/docs/CI-CD/workflows.md
index aa9b88a2a..d381c92bc 100644
--- a/docs/CI-CD/workflows.md
+++ b/docs/CI-CD/workflows.md
@@ -80,14 +80,34 @@ show which release triggered or motivated the deploy.
 Manual staging redeploys do not rebuild images. Run `Deploy staging` with an
 existing tag after confirming the desired image tags already exist on Docker Hub.
 
-### Required secrets
+### Required secrets and variables
 
-All secrets go in **GitHub → Settings → Secrets and variables → Actions**:
+Secrets and variables are split between repository level (shared across workflows) and the `Staging` GitHub Environment (scoped to the deploy job).
 
-| Secret | Value |
+**Repository-level** — GitHub → Settings → Secrets and variables → Actions:
+
+| Name | Value |
 |---|---|
 | `DOCKERHUB_USERNAME` | Docker Hub username for the `switchbacktech` org |
 | `DOCKERHUB_TOKEN` | Docker Hub personal access token (Read & Write) |
-| `STAGING_SSH_HOST` | VPS IP address or hostname |
-| `STAGING_SSH_USER` | Linux user on the VPS that owns `~/compass` |
-| `STAGING_SSH_KEY` | Private key from the deploy keypair (the `compass-staging-deploy` file, not `.pub`) |
+
+**`Staging` environment** — GitHub → Settings → Environments → Staging:
+
+| Secret | Value |
+|---|---|
+| `SSH_KEY` | Private key from the deploy keypair |
+| `COMPASS_SYNC_TOKEN` | Token for compass sync |
+| `GCAL_NOTIFICATION_TOKEN` | Google Calendar notification token |
+| `GOOGLE_CLIENT_SECRET` | OAuth client secret |
+| `MONGO_PASSWORD` | MongoDB compass user password |
+| `MONGO_REPLICA_SET_KEY` | MongoDB replica set key |
+| `SUPERTOKENS_KEY` | SuperTokens API key |
+| `SUPERTOKENS_POSTGRES_PASSWORD` | SuperTokens PostgreSQL password |
+
+| Variable | Value |
+|---|---|
+| `SSH_HOST` | VPS IP address or hostname |
+| `SSH_USER` | Linux user on the VPS that owns `~/compass` |
+| `BACKEND_API_URL` | Staging backend API URL |
+| `FRONTEND_URL` | Staging frontend URL |
+| `GOOGLE_CLIENT_ID` | OAuth client ID |