Restrict repository secret access

[theferrit32]

Right now repo is private due to credentials in the source tree. In order to make the repo public we need to remove and revoke those tokens, and put GCP service account credentials in the repository secrets. Before doing that we need to restrict access to this repo so that only specific users can read/manage repo secrets, not just anyone in the org.

Might be able to use github org teams. By default users with collaborator role on the repo can access secrets.

[larrybabb]

@sjahl Please let me know if you need me to create a new github repo for the curator app assuming we have to eventually make it public and remove the secrets that are contained in it. Otherwise you can close or take over this ticket to help sort out how we've setup the secrets thus far.

[sjahl]

I agree with what @tnavatar said in our chat on Friday -- I don't think there's a security concern with keeping the firebase key checked into source.

One recommendation that the docs have, is adding restrictions to the key. The general idea is that you limit which web apps/ip addresses/etc are allowed to use the key (https://firebase.google.com/docs/projects/api-keys#apply-restrictions). The primary concern there is resource quota theft rather than exposing anything secret... so maybe something we want to think about for staging/production deployments.

[sjahl]

Closing here, since I don't think there's anything that needs to be done.