search

ansible-collections / community.digitalocean

This Ansible collection contains modules for assisting in the automation of the DigitalOcean cloud.
https://galaxy.ansible.com/community/digitalocean/
GNU General Public License v3.0
140 stars 57 forks source link

Move global GHA secrets to environments #293

Closed webknjaz closed 2 years ago

webknjaz commented 2 years ago

Hi @mamercad, I was looking at the current GHA setup and noticed an opportunity to tighten security a bit. You can scope the secrets better by having environments set up. This way, jobs that don't have this environment set (or use other envs), will be resistant to the attempts to scrape the secrets.

Here's how to do this.

  1. Add environment: integration-tests (for example) to the integration test jobs
  2. Go to https://github.com/ansible-collections/community.digitalocean/settings/environments
  3. Create an environment called integration-tests (it may be auto-created by the time you get there if you run a job that points to this name)
  4. Create secrets used in the integration test jobs under the integration-tests
  5. After testing, delete the global secrets
mamercad commented 2 years ago

We currently use environments for integration testing (on pull request).

mamercad commented 2 years ago

We currently use environments for integration testing (on pull request).

Now that I'm looking at this more closely, a couple of the downstream jobs missed that directive, creating a PR shortly.

mamercad commented 2 years ago

The non-pull-request integration tests only run on main, schedule, and workflow_dispatch. How would your suggestion benefit these?

mamercad commented 2 years ago

Closing due to inactivity.