Recommend environment secrets #274
+52
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -44,6 +44,58 @@ Resources: | |||||
| - [Immutable releases](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases) | ||||||
| - [Verifying the integrity of a release](https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/verifying-the-integrity-of-a-release) | ||||||
|
|
||||||
| ## GitHub environment secrets | ||||||
|
|
||||||
| GitHub [environment secrets](https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets#creating-secrets-for-an-environment) | ||||||
| provide an additional layer of protection for sensitive secrets used in | ||||||
| publishing, signing, and other privileged workflows. | ||||||
|
|
||||||
| With **repository secrets**, any workflow running in the repository can access | ||||||
| them, including workflows triggered on non-protected branches. This means | ||||||
| anyone with write access could push a non-protected branch containing secret | ||||||
| exfiltration code and trigger a workflow without going through a PR review. | ||||||
|
|
||||||
| With **environment secrets**, access is restricted to workflows running in the | ||||||
| context of a named environment, and that environment can be configured to only | ||||||
| allow deployments from specific branches. This means even a contributor with | ||||||
| write access cannot access the secrets without their code successfully passing | ||||||
| all branch protection criteria (i.e. an approved and merged PR). | ||||||
|
|
||||||
| Recommendation: migrate publishing, signing, and other privileged secrets from | ||||||
| repository secrets to an environment with a deployment branch policy restricting | ||||||
| access to `main` and `release/**` branches. | ||||||
|
|
||||||
| Steps: | ||||||
|
|
||||||
| 1. Create an environment (e.g., `protected`) in the repository settings. | ||||||
| 2. Configure a deployment branch policy on the environment, allowing only | ||||||
| `main` and `release/**` (adjust to match your branching strategy). | ||||||
| 3. Add your publishing and signing secrets to the environment. | ||||||
| 4. Remove the corresponding repository-level secrets. If both exist, the | ||||||
| repository-level secret remains accessible from any branch, defeating the | ||||||
| purpose. | ||||||
|
Comment on lines
+74
to
+76
Member
There was a problem hiding this comment. maybe swap ordering of 4 and 5, and mention something about may need to backport the release workflow update if making an older patch release |
||||||
| 5. Update release workflows to run in the context of the environment: | ||||||
|
|
||||||
| ```yaml | ||||||
| jobs: | ||||||
| release: | ||||||
| environment: protected | ||||||
| steps: | ||||||
| ... | ||||||
| ``` | ||||||
|
|
||||||
| Caveats: | ||||||
|
|
||||||
| - Repository admin permission is required to create environments and manage | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
not if done via Terraform (https://github.com/open-telemetry/sig-security/pull/274/changes#r3318814752)
Member
There was a problem hiding this comment. I think @arminru's suggestion here is just to remove the "create environments" portion, since better to do that part via terraform.
Member
There was a problem hiding this comment. @jack-berg please let me know when this is addressed and the PR is ready to be merged. |
||||||
| environment secrets. See [Request Repository Admin Permissions](https://github.com/open-telemetry/community/blob/main/guides/maintainer/github-admin-processes.md#request-repository-admin-permissions) | ||||||
| if you need to request access. | ||||||
|
|
||||||
| Resources: | ||||||
|
|
||||||
| - [Using environments for deployment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) | ||||||
| - [Creating secrets for an environment](https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets#creating-secrets-for-an-environment) | ||||||
| - [Example migration in opentelemetry-java](https://github.com/open-telemetry/opentelemetry-java/pull/8432/changes#diff-bae0feaab53d9bdd636360014c03f3456cd796c65e3984b5373443e92fdb5efeR17) | ||||||
|
|
||||||
| ## Binding to Network Interfaces | ||||||
|
|
||||||
| Always bind to localhost rather than to 0.0.0.0 or any interface, unless there | ||||||
|
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should recommend setting it up properly via Terraform in https://github.com/open-telemetry/admin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh wow I totally forgot I did this: https://github.com/open-telemetry/admin/pull/595
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/open-telemetry/admin/pull/684
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But even with the environment setup in terraform, maintainers still need admin to be able to go and manage secrets for that environment yeah?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, looks like it