Recommend environment secrets#274
Conversation
| 4. Remove the corresponding repository-level secrets. If both exist, the | ||
| repository-level secret remains accessible from any branch, defeating the | ||
| purpose. |
There was a problem hiding this comment.
maybe swap ordering of 4 and 5, and mention something about may need to backport the release workflow update if making an older patch release
|
|
||
| Steps: | ||
|
|
||
| 1. Create an environment (e.g., `protected`) in the repository settings. |
There was a problem hiding this comment.
I think we should recommend setting it up properly via Terraform in https://github.com/open-telemetry/admin.
There was a problem hiding this comment.
oh wow I totally forgot I did this: https://github.com/open-telemetry/admin/pull/595
There was a problem hiding this comment.
There was a problem hiding this comment.
But even with the environment setup in terraform, maintainers still need admin to be able to go and manage secrets for that environment yeah?
|
|
||
| Caveats: | ||
|
|
||
| - Repository admin permission is required to create environments and manage |
There was a problem hiding this comment.
| - Repository admin permission is required to create environments and manage | |
| - Repository admin permission is required to manage |
not if done via Terraform (https://github.com/open-telemetry/sig-security/pull/274/changes#r3318814752)
There was a problem hiding this comment.
I think @arminru's suggestion here is just to remove the "create environments" portion, since better to do that part via terraform.
There was a problem hiding this comment.
@jack-berg please let me know when this is addressed and the PR is ready to be merged.
4 participants
https://cloud-native.slack.com/archives/C01NJ7V1KRC/p1779975433850719
Companion PR: open-telemetry/community#3480