Automation - Revoke/Create CircleCI Secrets

[narin]

Automation Ticket

CircleCI had a security breach and we need to update several keys used for our automations once we've moved them over to GHA.

Secrets to rotate

ANDROID_KS_KEY_ALIAS ANDROID_KS_KEY_PW ANDROID_KS_PW GOOGLE_KS Key issues - Play Console Help

APPSTORE_CONNECT_API_KEY_ID APPSTORE_CONNECT_API_KEY_ISSUER_ID APPSTORE_CONNECT_BASE64 https://appstoreconnect.apple.com/access/api Create api keys Revoke API keys

APP_CLIENT_SECRET - IAM staging APP_CLIENT_SECRET_PROD - IAM prod

CIRCLECI_TOKEN - CircleCI PAT for Robot - new token - DEMO_PASSWORD

FASTLANE_GITHUB_TOKEN - for the fastlane slack_commands

FIREBASE_DIST_FILE_BASE64 GOOGLE_SERVICES_JSON IOS_GS_PLIST_BASE64 These are configuration data and can be decompiled from the app or sniffed. These are not keys

GOOGLE_SA_JSON - Do we need to change this or create a new service account? Setup - fastlane docs Need to follow that, but revoke old key, add new key

IOS_CERTIFICATE_BASE64 - I think we can ace this in the configs IOS_KEYCHAIN_NAME - do we still need these with match? IOS_KEYCHAIN_PASSWORD IOS_PROVISIONING_BASE64

MATCH_PASSWORD match - fastlane docs

SLACK_ACCESS_TOKEN - same as SLACK_API_TOKEN SLACK_API_TOKEN SLACK_URL= [redacted]

https://dsva.slack.com/apps/A023284J0UC-va-mobile-app-build-notifier?tab=settings&next_id=0

https://api.slack.com/apps/A023284J0UC/oauth?

Type of Change

What systems/scripts are changing?

• [x] Git Hub Actions
• [x] CircleCI
• [x] Fastlane
• [x] Bash Scripts
• [ ] Issues Templates

What is the work being done?

Testing considerations

What testing did you do?

What testing needs to be done by the reviewer?

What testing needs to be done to ensure that this work is complete in production?

Acceptability Criteria

• [ ]

[narin]

@kellylein Since we're moving off of CircleCI, I'm moving this to the GitHub Actions epic. We'll create all new keys once we've completed the migration.

[narin]

All keys have been revoked and recreated. Closing out.