Feature: Repository and organization secrets management #3
Description
Summary
Add support for managing GitHub repository and organization secrets via Terraform configuration.
Problem
Currently, secrets must be managed manually through the GitHub UI or separate tooling. This breaks the "everything as code" paradigm and creates:
- Manual configuration drift
- No audit trail for secret changes
- Inconsistent secret availability across repositories
Proposed Solution
Add secrets configuration to YAML with secure handling:
# config/secrets.yml
organization_secrets:
NPM_TOKEN:
visibility: selected # all, private, selected
selected_repositories:
- my-package
- another-package
DEPLOY_KEY:
visibility: private
repository_secrets:
my-repo:
DATABASE_URL:
# Value comes from environment variable or external secret manager
source: env:MY_REPO_DATABASE_URL
API_KEY:
source: env:MY_REPO_API_KEYSecurity Considerations
- Never store secret values in YAML - only references to external sources
- Supported sources:
- Environment variables (
env:VAR_NAME) - HashiCorp Vault (
vault:path/to/secret) - AWS Secrets Manager (
aws-sm:secret-name) - Azure Key Vault (
azure-kv:vault/secret)
- Environment variables (
- Terraform state - secrets will be in state, recommend encrypted backend
- Documentation - clear warnings about state file security
Terraform Resources
github_actions_organization_secretgithub_actions_secretgithub_dependabot_organization_secretgithub_dependabot_secret
Tasks
- Design secrets schema with source abstraction
- Implement Terraform module for secrets
- Add support for organization-level secrets
- Add support for repository-level secrets
- Add support for Dependabot secrets
- Document security best practices
- Add examples with different secret sources
Security Warning
This feature requires careful implementation to avoid exposing secrets. Clear documentation about:
- State file encryption
- CI/CD secret handling
- Audit logging