This repository is home to the Operations Engineering's tools and utilities for managing, monitoring, and optimising software development processes at the Ministry of Justice. • This repository is defined and managed in Terraform
As a member of the operations engineering team,
I want to organise and secure the GitHub personal access tokens in the moj-operations-engineering-bot account,
so that we can reduce risks, improve clarity, and align with best practices in token management.
Value
Properly managing these tokens will significantly reduce security risks by limiting their scope and improving their traceability. It will also streamline our processes by creating a clear and efficient method for future token creation and management.
Functional Requirements:
[x] Identify all existing GitHub personal access tokens associated with the moj-operations-engineering-bot account.
[x] Develop a standardised process for creating and managing GitHub personal access tokens.
[x] Explore the integration with the Cloud Platform's secrets-manager for secure storage and management of these tokens.
[x] Assess and limit the scope of each existing token to minimise potential security risks as per agreed standard.
[x] Create new or rename existing tokens to make their purpose and scope clear and understandable as per agreed standard.
Non-Functional Requirements:
[x] Ensure the token management process is secure, following industry best practices and GitHub recommendations.
[x] The process should be well-documented, providing clear token creation, naming, and scope definition guidelines.
Acceptance Criteria:
[x] All existing tokens in the moj-operations-engineering-bot account are identified, scoped appropriately, and renamed for clarity.
[x] A documented process is established for future token creation, including naming conventions and scope limitations.
[ ] The integration with the Cloud Platform's secrets-manager for storing and managing tokens is successfully demonstrated.
[ ] Stakeholders are informed about the new process and any changes to existing tokens.
Notes:
Review GitHub's best practices and recommendations for creating bot tokens to ensure alignment with industry standards.
Engage with team members who frequently use these tokens to understand their needs and ensure the new process accommodates them.
User Need
As a member of the operations engineering team, I want to organise and secure the GitHub personal access tokens in the
moj-operations-engineering-bot
account, so that we can reduce risks, improve clarity, and align with best practices in token management.Value
Properly managing these tokens will significantly reduce security risks by limiting their scope and improving their traceability. It will also streamline our processes by creating a clear and efficient method for future token creation and management.
Functional Requirements:
Non-Functional Requirements:
Acceptance Criteria:
Notes: