You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(security): add secrets management and environment protection (#92)
- Add Secrets Management section to SECURITY.md
- Document all 15 secrets used in CI/CD workflows
- Add production environment to publish.yml and unpublish.yml
- Marketplace secrets now protected by GitHub Environment
- Bump version to 0.10.41
🖥️ IDE: [Cursor](https://cursor.sh)
🔌 Extension: [Claude Code](https://claude.ai/download)
Model-Raw: claude-opus-4-5-20251101
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Private Keys do not expire, but annual rotation is recommended
91
+
- APP_IDs are public identifiers (low sensitivity)
92
+
- Private Keys are high sensitivity - treat as passwords
93
+
- Each bot has minimal permissions scoped to its specific function
94
+
95
+
### Environment Protection
96
+
97
+
Marketplace publishing secrets (VSCE_PAT, OVSX_PAT) are protected by the `production` environment, which requires:
98
+
99
+
- Tag push matching `git-id-switcher-v*` pattern
100
+
- Repository owner approval (optional)
101
+
102
+
**Note**: CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID remain as repository secrets (not environment secrets) because they are also used by deploy-docs.yml, which triggers on main branch push.
103
+
104
+
### Rotation Procedure
105
+
106
+
1.**Generate new token** from the provider (Azure DevOps, Open VSX, Cloudflare)
107
+
2.**Update GitHub secret** in repository settings
108
+
3.**Verify workflow execution** by triggering a test run
0 commit comments