Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move Build & Packaging Secrets into a key manager #1257

Closed
4 of 5 tasks
directionless opened this issue Jul 19, 2023 · 2 comments
Closed
4 of 5 tasks

Move Build & Packaging Secrets into a key manager #1257

directionless opened this issue Jul 19, 2023 · 2 comments
Assignees
@RebeccaMahany

Comments

@directionless
Copy link
Contributor

directionless commented Jul 19, 2023
edited by RebeccaMahany
Loading

Today, most of the build and packaging secrets come in via either a local file or an environmental variable. Neither of these feels good. Instead, it would be better if we kept them in GCP's secret manager, and then run things with an appropriate service account. (Or as humans, with human credentials)

This would unify secret management for the build/package things.

Probably also help with the general supply chain security. (Cf: SLSA and whatnot)

Doing this requires:

  • Terraform to create / setup GCP secret manager
  • Manually populating the secrets
  • Creating service accounts for GitHub Actions and MacStadium
  • Updating kworker to use above
  • Updating porter to use above
This was referenced Jul 19, 2023
Merged
Merged
Merged
@RebeccaMahany
Copy link
Contributor

Putting this aside for now -- the only work remaining is to update porter to use Secret Manager, which is discrete from the other tasks worked on for this issue so far.

@directionless
Copy link
Contributor Author

I think we can close this. While we should update porter that's pretty tied to GHA, and distinct from the packaging. 🎉

@RebeccaMahany RebeccaMahany mentioned this issue Aug 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RebeccaMahany RebeccaMahany

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@directionless @RebeccaMahany