This document outlines the secrets management practices for this repository.
We use the following types of secrets in this project:
-
Repository Secrets: Stored at the repository level
-
Environment Secrets: Specific to deployment environments
-
Organization Secrets: Shared across multiple repositories
All secrets are stored securely using GitHub’s built-in secrets management system. They are encrypted at rest and in transit.
Secrets can be accessed in GitHub Actions workflows using the following syntax:
${{ secrets.SECRET_NAME }}To add a new secret:
-
Navigate to the repository settings
-
Click on "Secrets and variables" under the "Security" section
-
Select "Actions" (for workflow secrets)
-
Click "New repository secret"
-
Provide a name and value for the secret
-
Least Privilege: Only grant access to secrets on a need-to-know basis.
-
Regular Rotation: Rotate secrets periodically to minimize the impact of potential breaches.
-
Avoid Hardcoding: Never hardcode secrets in the codebase or commit them to version control.
-
Audit Usage: Regularly review where and how secrets are being used in workflows.
-
Use Environment Secrets: For sensitive production credentials, use environment secrets with required reviewers.
-
Do not log or display secrets in workflow outputs
-
Be cautious when using secrets in pull request workflows from forked repositories
-
Consider using OIDC with cloud providers for enhanced security
|
Note
|
Remember to keep this file updated as your secrets management practices evolve. Do not include any actual secret values in this file |