Rotate all the secrets

[gerhard]

We used to keep our app secrets in LastPass. While we have migrated to 1Password part of https://github.com/thechangelog/changelog.com/discussions/433, in light of Hackers stole encrypted LastPass password vaults, and we’re just now hearing about it, the only way to know for sure that our secrets are secure, we must rotate all credentials that we used to store in LastPass.

We will take this opportunity to see which services are no longer in use, and DELETE them.

Used by changelog-2022-03-13 app

• [x] ALGOLIA_API_KEY
• [x] ALGOLIA_APPLICATION_ID - OK to be public, nothing secret about it
• [x] AWS_ACCESS_KEY_ID
• [x] AWS_SECRET_ACCESS_KEY
• [x] BACKUPS_AWS_ACCESS_KEY DELETE, no longer used
• [x] BACKUPS_AWS_SECRET_KEY DELETE, no longer used
• [x] BUFFER_TOKEN 🤷‍♀️
• [x] CM_API_TOKEN
• [x] CM_SMTP_TOKEN
• [x] COVERALLS_REPO_TOKEN DELETE, no longer used
• [x] FASTLY_API_TOKEN DELETE, no longer used
• [x] GITHUB_API_TOKEN
• [x] GITHUB_CLIENT_ID
• [x] GITHUB_CLIENT_SECRET
• [x] GRAFANA_API_KEY DELETE, no longer used
• [x] HCAPTCHA_SECRET_KEY DELETE, no longer used
• [x] HN_PASS DELETE, no longer used
• [x] HN_USER DELETE, no longer used
• [x] NOTION_API_TOKEN
• [x] PLUSPLUS_SLUG no need to rotate this
• [x] PROMETHEUS_BEARER_TOKEN_PROM_EX DELETE, no longer used
• [x] RECAPTCHA_SECRET_KEY DELETE, no longer used
• [x] SECRET_KEY_BASE
• [x] SENTRY_AUTH_TOKEN DELETE, no longer used
• [x] SHOPIFY_API_KEY
• [x] SHOPIFY_API_PASSWORD
• [x] SLACK_APP_API_TOKEN
• [x] SLACK_INVITE_API_TOKEN
• [x] TURNSTILE_SECRET_KEY
• [x] TWITTER_CONSUMER_KEY
• [x] TWITTER_CONSUMER_SECRET

ENVs in 1Password

• [x] ALGOLIA_API_KEY
• [x] ALGOLIA_APPLICATION_ID
• [x] AWS_ACCESS_KEY_ID
• [x] AWS_SECRET_ACCESS_KEY
• [x] BACKUPS_AWS_ACCESS_KEY DELETE, no longer used
• [x] BACKUPS_AWS_SECRET_KEY DELETE, no longer used
• [x] BUFFER_TOKEN 🤷‍♀️
• [x] CM_API_TOKEN
• [x] CM_SMTP_TOKEN
• [x] COVERALLS_REPO_TOKEN DELETE, no longer used
• [x] DNSIMPLE_ACCOUNT DELETE, no longer used
• [x] DNSIMPLE_TOKEN DELETE, no longer used
• [x] FASTLY_API_TOKEN DELETE, no longer used
• [x] GITHUB_API_TOKEN
• [x] GITHUB_CLIENT_ID
• [x] GITHUB_CLIENT_SECRET
• [x] GRAFANA_API_KEY DELETE, no longer used
• [x] GRAFANA_CLOUD_LOKI_PASSWORD DELETE, no longer used
• [x] GRAFANA_CLOUD_LOKI_USERNAME DELETE, no longer used
• [x] GRAFANA_CLOUD_PASSWORD DELETE, no longer used
• [x] GRAFANA_CLOUD_PROMEX DELETE, no longer used
• [x] GRAFANA_CLOUD_REMOTE_WRITE_PASSWORD DELETE, no longer used
• [x] GRAFANA_CLOUD_REMOTE_WRITE_USERNAME DELETE, no longer used
• [x] GRAFANA_CLOUD_USERNAME DELETE, no longer used
• [x] GRAFANA_CLOUD_lke-prod-20200426 DELETE, no longer used
• [x] GRAFANA_CLOUD_lke-prod-2021 DELETE, no longer used
• [x] HCAPTCHA_SECRET_KEY DELETE, no longer used
• [x] HN_PASS DELETE, no longer used
• [x] HN_USER DELETE, no longer used
• [x] HONEYCOMB_API_KEY DELETE, only needed by Fastly
• [x] LINODE_CLI_TOKEN DELETE, no longer used
• [x] METRICS_GITHUB_OAUTH_APP_CLIENT_ID DELETE, no longer used
• [x] METRICS_GITHUB_OAUTH_APP_CLIENT_SECRET DELETE, no longer used
• [x] PG_DOTCOM_PASS DELETE, no longer used
• [x] PLUSPLUS_SLUG
• [x] POSTGRES_PASSWORD DELETE, no longer used
• [x] PROMETHEUS_BEARER_TOKEN_PROM_EX DELETE, no longer used
• [x] RECAPTCHA_SECRET_KEY DELETE, no longer used
• [x] ROLLBAR_ACCESS_TOKEN DELETE, no longer used
• [x] SENTRY_AUTH_TOKEN DELETE, no longer used
• [x] SHOPIFY_API_KEY
• [x] SHOPIFY_API_PASSWORD
• [x] SLACK_APP_API_TOKEN
• [ ] SLACK_DEPLOY_WEBHOOK
• [x] SLACK_INVITE_API_TOKEN
• [x] TWITTER_CONSUMER_KEY
• [x] TWITTER_CONSUMER_SECRET
• [x] UPBOUND_CLOUD_USER_TOKEN DELETE, no longer used

[gerhard]

Follow-ups:

• delete Coveralls code
• delete HackerNews code

[jerodsanto]

@gerhard pretty close to done! I believe the Sentry auth token was set up by you and I couldn't find it anywhere from my account. It's only called from the sentry-release command in the Makefile. Can you handle this one?

[gerhard]

Yes, I set up that integration: https://changelog-media.sentry.io/settings/developer-settings/

BUT I no longer have the necessary permissions to create a new integration.

Can you assign me Manager permissions? Knowing how I roll, I would prefer Owner so that I don't hit any limitations in the future. Only @adamstac can do this according to https://changelog-media.sentry.io/settings/members/

[jerodsanto]

You are now a Manager ✊

[gerhard]

I have set up a new integration before realizing that I could have added a new token to the existing one. When you have a moment @adamstac, can you please delete sentry-release-on-app-start-2023-02-18 (requires Owner privileges).

Actually, you can also delete sentry-release-on-app-start. FWIW https://github.com/thechangelog/changelog.com/commit/61f1dda8f521f2c7410b010cf628611c6741ffe0

[gerhard]

I think that we can close this even though the SLACK_DEPLOY_WEBHOOK has not been rotated. It's OK to re-open if you think otherwise.

FTR: https://api.slack.com/apps/AJLKS2NAV/incoming-webhooks & https://github.com/thechangelog/changelog.com/pull/418