From 3b1be53a5341f67b3c5247a731cf392520a3b36d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= Date: Sat, 5 Jul 2025 11:42:45 +0200 Subject: [PATCH] tighten CI secret scope and move AWS config to environment vars * Add `environment: release` to the "publish-to-hex" job so that only workflows explicitly targeting the release environment can read sensitive values. * Gate the job behind `if: ${{ vars.HEX_AWS_REGION }}` to avoid noisy failures in forks where the variable is not configured. * Replace `${{ secrets.HEX_AWS_REGION }}` / `${{ secrets.HEX_AWS_S3_BUCKET }}` references with `${{ vars.* }}`. These are not credentials, so environment-level *variables* are a better fit and keep them readable only by jobs that declare the environment. * Remove Fastly secrets from the job-wide `env:` block and inject them only into the Fastly purge step, following the principle of least privilege. Other steps no longer see these tokens. Restricting secret visibility to an environment and to the exact step that needs them reduces the blast radius of a compromised workflow run, blocks accidental exposure in logs of unrelated steps, and stops forks from obtaining privileged data. --- .github/workflows/release.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3dae6524c2a..c82aad7b03b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -303,14 +303,14 @@ jobs: needs: [build, sign] runs-on: ubuntu-22.04 concurrency: builds-hex-pm + environment: release + # Only run if HEX_AWS_REGION is set (no failing job in forks) + if: "${{ vars.HEX_AWS_REGION }}" env: AWS_ACCESS_KEY_ID: ${{ secrets.HEX_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.HEX_AWS_SECRET_ACCESS_KEY }} - AWS_REGION: ${{ secrets.HEX_AWS_REGION }} - AWS_S3_BUCKET: ${{ secrets.HEX_AWS_S3_BUCKET }} - FASTLY_REPO_SERVICE_ID: ${{ secrets.HEX_FASTLY_REPO_SERVICE_ID }} - FASTLY_BUILDS_SERVICE_ID: ${{ secrets.HEX_FASTLY_BUILDS_SERVICE_ID }} - FASTLY_KEY: ${{ secrets.HEX_FASTLY_KEY }} + AWS_REGION: ${{ vars.HEX_AWS_REGION }} + AWS_S3_BUCKET: ${{ vars.HEX_AWS_S3_BUCKET }} OTP_GENERIC_VERSION: "25" steps: - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 @@ -417,3 +417,7 @@ jobs: for key in $(cat purge_keys.txt); do purge "${key}" done + env: + FASTLY_REPO_SERVICE_ID: ${{ secrets.HEX_FASTLY_REPO_SERVICE_ID }} + FASTLY_BUILDS_SERVICE_ID: ${{ secrets.HEX_FASTLY_BUILDS_SERVICE_ID }} + FASTLY_KEY: ${{ secrets.HEX_FASTLY_KEY }}