Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Surge token in GH Actions: switch for GH secrets to the use of KSM secrets manager #678

Open
tbouffard opened this issue Feb 23, 2024 · 0 comments

Comments

@tbouffard
Copy link
Member

The whole bonitasoft organization is doing the switch to the KSM secrets manager.
Retrieving the secrets to use in the GH workflow would looks like something

- name: Retrieve secrets from Keeper
  uses: Keeper-Security/ksm-action@v1
  with:
    keeper-secret-config: ${{ secrets.KSM_CONFIG }}
    secrets: |
      ${{ vars.KEEPER_SURGE_TOKEN_RECORD_ID }}/field/password > env:SURGE_TOKEN

Notice that this configuration has a drawback in term of security.
Previously, the token was available only in repositories where the secrets was configured to be accessible.
In the future, all repo of the organization will have access to this token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant