Create a Guide/Template: Preventing Secrets & Credentials Leaks in GitHub

[gregpawin]

Overview

We need to create a guide to preventing secrets and credentials from being published on GitHub.

Action Items

• [ ] Gather examples of how other projects have done it, adding each example as a link in the resources section
  • [ ] Once done, remove the "TG: Gather Examples" label and add the "TG: Draft Template" label
• [ ] Create a draft template, either in markdown format in this issue or a google doc in the Engineering google drive
  • [ ] Once done, remove the "TG: Draft Template" label and add the "TG: Create Guide" label
• [ ] Create a guide on how to use the template
  • [ ] Once done, remove the "TG: Create Guide" label and add the "TG: Review Guide" label
• [ ] Review the guide with product management communities of practice
  • [ ] Once done, remove the "TG: Review Guide" label and add the "TG: Leadership Review" label
• [ ] Present to Hack for LA leadership team for sign off
  • [ ] Once approved, remove the "TG: Leadership Review" label and add the "TG: Place Guide" label
• [ ] Possibly create an issue template on .github
  • [ ] Include link to template under resources if you add it as a template in .github

Resources

Update tracker issue (TBD) with the name of item you are working

Projects with no mention of "secrets" and/or "credentials" in their Contributing.md or README.md file:

• 100 Automations
• 311 Data
• Access the Data
• BallotNav
• Civic Opportunity Project
• Civic Tech Index
• Civic Tech Structure
• Engage
• Expunge-Assist (formerly known as Record Clearance)
• Food Oasis

Projects to check

• Brigade Organizer's Playbook
• Civic Tech Jobs
• Data Science Projects
• Design Systems
• GreenEarthOS
• Guides
• HomeUniteUs
• Internship project
• Lucky Parking
• Open Community Survey
• TDM Calculator
• VRMS
• Hack for LA's Website
• Youth Justice Nav

[ExperimentsInHonesty]

@salice Can you share with us:

• how much time was used recovering from pete's homeuniteus pr that published his .env file to AWS account.
• Are there any others that you know about and how long each of them took (I think the other one might be lucky parking).

[gregpawin]

When I published the Lucky Parking secrets, I got the warning within minutes and fixed it right away, which included killing the old credentials and creating new ones.

[ExperimentsInHonesty]

@gregpawin how long did the clean up take? https://github.com/hackforla/engineering/issues/17#issuecomment-891511226

[gregpawin]

It took less than 30 mins

[ExperimentsInHonesty]

sophias repo with pre commit hooks https://github.com/100Automations/github-actions https://github.com/100Automations/pre-commit-hooks

[JasonEb]

Trying to revive and keep a pulse on this issue. @gregpawin is this issue still active for you? Is there anything we can help you with?

[gregpawin]

Sorry, this issue originated from the engineering COP as a part of the effort to create guides for all the COPs. I have since then stepped down from lead engineering COP and it seems that the issue got moved to ops.

[JasonEb]

Thanks so much for the update! We'll follow-up with Bonnie and see what's to be done with this issue.

On Wed, Jul 20, 2022 at 5:48 PM Greg Pawin @.***> wrote:

Sorry, this issue originated from the engineering COP as a part of the effort to create guides for all the COPs. I have since then stepped down from lead engineering COP and it seems that the issue got moved to ops.

— Reply to this email directly, view it on GitHub https://github.com/hackforla/ops/issues/10#issuecomment-1190912670, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABQCKQ7PJNTJJWJ4FZGUFLDVVCM45ANCNFSM5HKJ4X7Q . You are receiving this because you were assigned.Message ID: @.***>