This repository is home to the Operations Engineering's tools and utilities for managing, monitoring, and optimising software development processes at the Ministry of Justice. • This repository is defined and managed in Terraform
As a member of the operations engineering team,
I want to organise and secure the GitHub personal access tokens in the moj-operations-engineering-bot account,
so that we can reduce risks, improve clarity, and align with best practices in token management.
Value
Properly managing these tokens will significantly reduce security risks by limiting their scope and improving their traceability. It will also streamline our processes by creating a clear and efficient method for future token creation and management.
NEW_TOKEN is currently used in ministryofjustice/operations-engineering (as GH_BOT_PAT_TOKEN GitHub secret) for multiple different projects. This conflicts with ADR 020, in that NEW_TOKEN is a Classic token and used for multiple purposes.
Functional Requirements:
[ ] ~Replace use of Classic NEW_TOKEN in operations-engineering with suitable Fine-grained PATs.~
[x] Replace use of Classic NEW_TOKEN (GH_BOT_PAT_TOKEN and OPS_BOT_TOKEN GitHub secrets) in operations-engineering with new well-named, expiry dated, reduced permissions Classic token for use ONLY in this repo.
Non-Functional Requirements:
[ ] ~Create 2 FG-PATs one for ministryofjustice and one for moj-analytical-services if required~
[ ] ~Decide how best to split up token usage in operations-engineering repository, for example, by project (one token per project) or purpose (different workflows may require the same permissions as they do similar things), considering ease of documentation and managing these tokens.~
[x] Created new classic token following ADR 020; scoping to the business area, repo and limiting the permissions to just those required.
[x] Created new GitHub secrets in operations-engineering and update with the corresponding new token, following naming conventions in ADR-020 and suffix for GitHub secret name.
[x] Updated code where secret name has changed from GH_BOT_PAT_TOKEN or OPS_BOT_TOKEN.
[ ] ~Tested each new token works for the workflow/s that now use it.~
User Need
As a member of the operations engineering team, I want to organise and secure the GitHub personal access tokens in the
moj-operations-engineering-bot
account, so that we can reduce risks, improve clarity, and align with best practices in token management.Value
Properly managing these tokens will significantly reduce security risks by limiting their scope and improving their traceability. It will also streamline our processes by creating a clear and efficient method for future token creation and management.
NEW_TOKEN is currently used in
ministryofjustice/operations-engineering
(asGH_BOT_PAT_TOKEN
GitHub secret) for multiple different projects. This conflicts with ADR 020, in thatNEW_TOKEN
is a Classic token and used for multiple purposes.Functional Requirements:
NEW_TOKEN
inoperations-engineering
with suitable Fine-grained PATs.~NEW_TOKEN
(GH_BOT_PAT_TOKEN
andOPS_BOT_TOKEN
GitHub secrets) inoperations-engineering
with new well-named, expiry dated, reduced permissions Classic token for use ONLY in this repo.Non-Functional Requirements:
ministryofjustice
and one formoj-analytical-services
if required~Acceptance Criteria:
GH_BOT_PAT_TOKEN
orOPS_BOT_TOKEN
.Notes:
Classic token required as some workflows require cross org permissions.