You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today, most of the build and packaging secrets come in via either a local file or an environmental variable. Neither of these feels good. Instead, it would be better if we kept them in GCP's secret manager, and then run things with an appropriate service account. (Or as humans, with human credentials)
This would unify secret management for the build/package things.
Probably also help with the general supply chain security. (Cf: SLSA and whatnot)
Doing this requires:
Terraform to create / setup GCP secret manager
Manually populating the secrets
Creating service accounts for GitHub Actions and MacStadium
Updating kworker to use above
Updating porter to use above
The text was updated successfully, but these errors were encountered:
Putting this aside for now -- the only work remaining is to update porter to use Secret Manager, which is discrete from the other tasks worked on for this issue so far.
Today, most of the build and packaging secrets come in via either a local file or an environmental variable. Neither of these feels good. Instead, it would be better if we kept them in GCP's secret manager, and then run things with an appropriate service account. (Or as humans, with human credentials)
This would unify secret management for the build/package things.
Probably also help with the general supply chain security. (Cf: SLSA and whatnot)
Doing this requires:
kworker
to use aboveporter
to use aboveThe text was updated successfully, but these errors were encountered: