Add recommendation to use environment secrets instead of repository secrets#273
Closed
jack-berg wants to merge 1 commit into
Closed
Add recommendation to use environment secrets instead of repository secrets#273jack-berg wants to merge 1 commit into
jack-berg wants to merge 1 commit into
Conversation
This was referenced May 28, 2026
pellared
approved these changes
May 28, 2026
| publishing, signing, and other privileged workflows. | ||
|
|
||
| With **repository secrets**, any workflow running in the repository can access | ||
| them — including workflows triggered on non-protected branches. This means |
Member
There was a problem hiding this comment.
I do not even know how to type an em-dash on the keyboard 😉
Suggested change
| them — including workflows triggered on non-protected branches. This means | |
| them, including workflows triggered on non-protected branches. This means |
|
|
||
| With **repository secrets**, any workflow running in the repository can access | ||
| them — including workflows triggered on non-protected branches. This means | ||
| anyone with write access could push a non-protected branch containing secret |
Member
There was a problem hiding this comment.
I suggest capitalizing the role name https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization
Suggested change
| anyone with write access could push a non-protected branch containing secret | |
| anyone with Write access could push a non-protected branch containing secret |
| With **environment secrets**, access is restricted to workflows running in the | ||
| context of a named environment, and that environment can be configured to only | ||
| allow deployments from specific branches. This means even a contributor with | ||
| write access cannot access the secrets without their code successfully passing |
Member
There was a problem hiding this comment.
Suggested change
| write access cannot access the secrets without their code successfully passing | |
| Write access cannot access the secrets without their code successfully passing |
| context of a named environment, and that environment can be configured to only | ||
| allow deployments from specific branches. This means even a contributor with | ||
| write access cannot access the secrets without their code successfully passing | ||
| all branch protection criteria — i.e., an approved and merged PR. |
Member
There was a problem hiding this comment.
Suggested change
| all branch protection criteria — i.e., an approved and merged PR. | |
| all branch protection criteria, i.e., an approved and merged PR. |
trask
approved these changes
May 28, 2026
Comment on lines
+74
to
+76
| 4. Remove the corresponding repository-level secrets. If both exist, the | ||
| repository-level secret remains accessible from any branch, defeating the | ||
| purpose. |
Member
There was a problem hiding this comment.
maybe swap ordering of 4 and 5, and mention something about may need to backport the release workflow update if making an older patch release
Member
Author
|
Bah, forgot to create the branch on my fork. See #274 instead. |
Member
yeah, this is annoying, proposing to block the initial creation to avoid the after-the-fact surprise: https://github.com/open-telemetry/admin/pull/676 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://cloud-native.slack.com/archives/C01NJ7V1KRC/p1779975433850719
Companion PR: open-telemetry/community#3480