From 3b1be53a5341f67b3c5247a731cf392520a3b36d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= <jonatan@maennchen.ch>
Date: Sat, 5 Jul 2025 11:42:45 +0200
Subject: [PATCH] tighten CI secret scope and move AWS config to environment
 vars

* Add `environment: release` to the "publish-to-hex" job so that only
  workflows explicitly targeting the release environment can read
  sensitive values.
* Gate the job behind `if: ${{ vars.HEX_AWS_REGION }}` to avoid noisy
  failures in forks where the variable is not configured.
* Replace `${{ secrets.HEX_AWS_REGION }}` / `${{ secrets.HEX_AWS_S3_BUCKET }}`
  references with `${{ vars.* }}`.  These are not credentials, so
  environment-level *variables* are a better fit and keep them readable
  only by jobs that declare the environment.
* Remove Fastly secrets from the job-wide `env:` block and inject them
  only into the Fastly purge step, following the principle of least
  privilege.  Other steps no longer see these tokens.

Restricting secret visibility to an environment and to the exact step
that needs them reduces the blast radius of a compromised workflow run,
blocks accidental exposure in logs of unrelated steps, and stops forks
from obtaining privileged data.
---
 .github/workflows/release.yml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3dae6524c2a..c82aad7b03b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -303,14 +303,14 @@ jobs:
     needs: [build, sign]
     runs-on: ubuntu-22.04
     concurrency: builds-hex-pm
+    environment: release
+    # Only run if HEX_AWS_REGION is set (no failing job in forks)
+    if: "${{ vars.HEX_AWS_REGION }}"
     env:
       AWS_ACCESS_KEY_ID: ${{ secrets.HEX_AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.HEX_AWS_SECRET_ACCESS_KEY }}
-      AWS_REGION: ${{ secrets.HEX_AWS_REGION }}
-      AWS_S3_BUCKET: ${{ secrets.HEX_AWS_S3_BUCKET }}
-      FASTLY_REPO_SERVICE_ID: ${{ secrets.HEX_FASTLY_REPO_SERVICE_ID }}
-      FASTLY_BUILDS_SERVICE_ID: ${{ secrets.HEX_FASTLY_BUILDS_SERVICE_ID }}
-      FASTLY_KEY: ${{ secrets.HEX_FASTLY_KEY }}
+      AWS_REGION: ${{ vars.HEX_AWS_REGION }}
+      AWS_S3_BUCKET: ${{ vars.HEX_AWS_S3_BUCKET }}
       OTP_GENERIC_VERSION: "25"
     steps:
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -417,3 +417,7 @@ jobs:
           for key in $(cat purge_keys.txt); do
             purge "${key}"
           done
+        env:
+          FASTLY_REPO_SERVICE_ID: ${{ secrets.HEX_FASTLY_REPO_SERVICE_ID }}
+          FASTLY_BUILDS_SERVICE_ID: ${{ secrets.HEX_FASTLY_BUILDS_SERVICE_ID }}
+          FASTLY_KEY: ${{ secrets.HEX_FASTLY_KEY }}