Skip to content

Commit f0d6c73

Browse files
nullvariantclaude
andauthored
docs(security): add secrets management and environment protection (#92)
- Add Secrets Management section to SECURITY.md - Document all 15 secrets used in CI/CD workflows - Add production environment to publish.yml and unpublish.yml - Marketplace secrets now protected by GitHub Environment - Bump version to 0.10.41 🖥️ IDE: [Cursor](https://cursor.sh) 🔌 Extension: [Claude Code](https://claude.ai/download) Model-Raw: claude-opus-4-5-20251101 Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
1 parent f58e9eb commit f0d6c73

5 files changed

Lines changed: 87 additions & 3 deletions

File tree

.github/workflows/publish.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ permissions: {}
1010
jobs:
1111
publish:
1212
runs-on: ubuntu-latest
13+
environment: production
1314
# Prevent forks from publishing
1415
if: github.repository == 'nullvariant/nullvariant-vscode-extensions'
1516
permissions:

.github/workflows/unpublish.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ permissions: {}
1818
jobs:
1919
unpublish:
2020
runs-on: ubuntu-latest
21+
environment: production
2122
permissions:
2223
contents: read
2324
# Prevent forks from unpublishing (no marketplace secrets)

SECURITY.md

Lines changed: 64 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ If you discover a security vulnerability, please report it by:
2222
- We will respond within 48 hours
2323

2424
2. **Email**
25-
- security@nullvariant.com
25+
- `security@nullvariant.com`
2626
- Use PGP encryption if possible (key available on request)
2727

2828
**Please do NOT open a public issue for security vulnerabilities.**
@@ -55,6 +55,69 @@ npm run test:security
5555
```
5656

5757
This includes tests for:
58+
5859
- Command injection vectors
5960
- XSS prevention in webviews
6061
- CSP policy enforcement
62+
63+
## Secrets Management
64+
65+
This section documents all secrets used in CI/CD workflows.
66+
67+
### Repository Secrets
68+
69+
| Name | Purpose | Used In | Rotation | Sensitivity |
70+
| ---- | ------- | ------- | -------- | ----------- |
71+
| VSCE_PAT | VS Code Marketplace publishing | publish.yml, unpublish.yml | Annual | High |
72+
| OVSX_PAT | Open VSX publishing | publish.yml, unpublish.yml | Annual | High |
73+
| CODECOV_TOKEN | Coverage reporting | ci.yml | As needed | Medium |
74+
| CLOUDFLARE_API_TOKEN | Cloudflare Pages/R2 deployment | deploy-docs.yml, publish.yml | Annual | High |
75+
| CLOUDFLARE_ACCOUNT_ID | Cloudflare account identifier (public) | deploy-docs.yml, publish.yml | Never | Low (public ID) |
76+
77+
### GitHub App Secrets (6 bots × 2 secrets each)
78+
79+
| Bot | Secrets | Used In |
80+
| --- | ------- | ------- |
81+
| Justice | JUSTICE_BOT_APP_ID, JUSTICE_BOT_PRIVATE_KEY | justice-bot.yml |
82+
| Luna | LUNA_BOT_APP_ID, LUNA_BOT_PRIVATE_KEY | luna-bot.yml |
83+
| Slow | SLOW_BOT_APP_ID, SLOW_BOT_PRIVATE_KEY | slow-bot.yml |
84+
| Blaze | BLAZE_BOT_APP_ID, BLAZE_BOT_PRIVATE_KEY | blaze-bot.yml |
85+
| Ciel | CIEL_BOT_APP_ID, CIEL_BOT_PRIVATE_KEY | ciel-bot.yml |
86+
| Mimi | MIMI_BOT_APP_ID, MIMI_BOT_PRIVATE_KEY | mimi-bot.yml |
87+
88+
**Security Notes for GitHub Apps**:
89+
90+
- Private Keys do not expire, but annual rotation is recommended
91+
- APP_IDs are public identifiers (low sensitivity)
92+
- Private Keys are high sensitivity - treat as passwords
93+
- Each bot has minimal permissions scoped to its specific function
94+
95+
### Environment Protection
96+
97+
Marketplace publishing secrets (VSCE_PAT, OVSX_PAT) are protected by the `production` environment, which requires:
98+
99+
- Tag push matching `git-id-switcher-v*` pattern
100+
- Repository owner approval (optional)
101+
102+
**Note**: CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID remain as repository secrets (not environment secrets) because they are also used by deploy-docs.yml, which triggers on main branch push.
103+
104+
### Rotation Procedure
105+
106+
1. **Generate new token** from the provider (Azure DevOps, Open VSX, Cloudflare)
107+
2. **Update GitHub secret** in repository settings
108+
3. **Verify workflow execution** by triggering a test run
109+
4. **Revoke old token** from the provider
110+
111+
### Provider Links
112+
113+
| Secret | Provider | Management URL | Expiration |
114+
| ------ | -------- | -------------- | ---------- |
115+
| VSCE_PAT | Azure DevOps | [Azure DevOps Tokens](https://dev.azure.com/nullvariant/_usersSettings/tokens) | 2027-01-08 |
116+
| OVSX_PAT | Open VSX | [Open VSX Tokens](https://open-vsx.org/user-settings/tokens) | No expiration |
117+
| CLOUDFLARE_API_TOKEN | Cloudflare | [Cloudflare API Tokens](https://dash.cloudflare.com/profile/api-tokens) | No expiration |
118+
| CODECOV_TOKEN | Codecov | [Codecov Settings](https://app.codecov.io/account/gh/nullvariant/settings) | No expiration |
119+
| GitHub App Keys | GitHub | [GitHub Apps](https://github.com/settings/apps) | No expiration |
120+
121+
**Token Details**:
122+
123+
- **CLOUDFLARE_API_TOKEN**: Named `nullvariant-vscode-extensions-github-actions-deploy`, permissions: Workers R2 Storage:Edit

extensions/git-id-switcher/CHANGELOG.md

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
## [0.10.41] - 2026-01-09
11+
12+
### Security
13+
14+
- **CI/CD: Environment Protection for Marketplace Publishing**
15+
- Added `production` environment to publish.yml and unpublish.yml
16+
- Marketplace secrets (VSCE_PAT, OVSX_PAT) now protected by GitHub Environment
17+
- Requires tag push matching `git-id-switcher-v*` pattern
18+
- Implements least privilege principle for CI/CD secrets
19+
20+
### Added
21+
22+
- **Secrets Management Documentation**
23+
- Added comprehensive Secrets Management section to SECURITY.md
24+
- Documents all 15 secrets used in CI/CD workflows
25+
- Includes rotation procedures and provider links
26+
- Added sensitivity levels for each secret
27+
1028
## [0.10.40] - 2026-01-09
1129

1230
### Changed
@@ -1003,7 +1021,8 @@ This release includes comprehensive security hardening across multiple areas.
10031021
- `gitIdentitySwitcher.autoSwitchSshKey`: Auto SSH key switching
10041022
- `gitIdentitySwitcher.showNotifications`: Show switch notifications
10051023

1006-
[Unreleased]: https://github.com/nullvariant/nullvariant-vscode-extensions/compare/git-id-switcher-v0.10.40...HEAD
1024+
[Unreleased]: https://github.com/nullvariant/nullvariant-vscode-extensions/compare/git-id-switcher-v0.10.41...HEAD
1025+
[0.10.41]: https://github.com/nullvariant/nullvariant-vscode-extensions/compare/git-id-switcher-v0.10.40...git-id-switcher-v0.10.41
10071026
[0.10.40]: https://github.com/nullvariant/nullvariant-vscode-extensions/compare/git-id-switcher-v0.10.39...git-id-switcher-v0.10.40
10081027
[0.10.39]: https://github.com/nullvariant/nullvariant-vscode-extensions/compare/git-id-switcher-v0.10.38...git-id-switcher-v0.10.39
10091028
[0.10.38]: https://github.com/nullvariant/nullvariant-vscode-extensions/compare/git-id-switcher-v0.10.37...git-id-switcher-v0.10.38

extensions/git-id-switcher/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
"name": "git-id-switcher",
33
"displayName": "%extension.displayName%",
44
"description": "%extension.description%",
5-
"version": "0.10.40",
5+
"version": "0.10.41",
66
"publisher": "nullvariant",
77
"icon": "images/icon.png",
88
"engines": {

0 commit comments

Comments
 (0)