Skip to content

Tighten secret scope in release.yml #14627

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Tighten secret scope in release.yml #14627

wants to merge 1 commit into from
+9 −5

Conversation

maennchen
Copy link
Member

What changed

  • Introduced environment: release to the publish-to-hex job so that only workflows explicitly targeting the release environment can read sensitive values.
  • Added a safeguardif: ${{ vars.HEX_AWS_REGION }} – to skip the job in forks that don’t define release variables.
  • Converted non-secret AWS settings to environment variables
    • ${{ vars.HEX_AWS_REGION }}
    • ${{ vars.HEX_AWS_S3_BUCKET }}
      These are configuration values, not credentials, so variables are a better fit and remain visible only to jobs using the release environment.
  • Scoped Fastly secrets to the purge step instead of the whole job, keeping tokens out of steps that don’t need them.

Why it matters

Placing secrets in an environment and scoping them to the minimum surface area:

  • prevents forks and unrelated jobs from accessing production credentials;
  • limits accidental leakage in logs;
  • follows the principle of least privilege, reducing the blast radius if any single step is compromised.

TODO for Maintainers

Item New home
HEX_AWS_REGION, HEX_AWS_S3_BUCKET Environment → release → Variables
HEX_AWS_ACCESS_KEY_ID
HEX_AWS_SECRET_ACCESS_KEY
HEX_FASTLY_REPO_SERVICE_ID
HEX_FASTLY_BUILDS_SERVICE_ID
HEX_FASTLY_KEY		 Environment → release → Secrets

Once the moves are complete, new release builds will run with the tighter permissions automatically.

@maennchen
tighten CI secret scope and move AWS config to environment vars
3b1be53 
* Add `environment: release` to the "publish-to-hex" job so that only
  workflows explicitly targeting the release environment can read
  sensitive values.
* Gate the job behind `if: ${{ vars.HEX_AWS_REGION }}` to avoid noisy
  failures in forks where the variable is not configured.
* Replace `${{ secrets.HEX_AWS_REGION }}` / `${{ secrets.HEX_AWS_S3_BUCKET }}`
  references with `${{ vars.* }}`.  These are not credentials, so
  environment-level *variables* are a better fit and keep them readable
  only by jobs that declare the environment.
* Remove Fastly secrets from the job-wide `env:` block and inject them
  only into the Fastly purge step, following the principle of least
  privilege.  Other steps no longer see these tokens.

Restricting secret visibility to an environment and to the exact step
that needs them reduces the blast radius of a compromised workflow run,
blocks accidental exposure in logs of unrelated steps, and stops forks
from obtaining privileged data.
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@maennchen