Skip to content

Feature: Repository and organization secrets management #3

@gjed

Description

@gjed

Summary

Add support for managing GitHub repository and organization secrets via Terraform configuration.

Problem

Currently, secrets must be managed manually through the GitHub UI or separate tooling. This breaks the "everything as code" paradigm and creates:

  • Manual configuration drift
  • No audit trail for secret changes
  • Inconsistent secret availability across repositories

Proposed Solution

Add secrets configuration to YAML with secure handling:

# config/secrets.yml
organization_secrets:
  NPM_TOKEN:
    visibility: selected  # all, private, selected
    selected_repositories:
      - my-package
      - another-package
  
  DEPLOY_KEY:
    visibility: private

repository_secrets:
  my-repo:
    DATABASE_URL:
      # Value comes from environment variable or external secret manager
      source: env:MY_REPO_DATABASE_URL
    
    API_KEY:
      source: env:MY_REPO_API_KEY

Security Considerations

  1. Never store secret values in YAML - only references to external sources
  2. Supported sources:
    • Environment variables (env:VAR_NAME)
    • HashiCorp Vault (vault:path/to/secret)
    • AWS Secrets Manager (aws-sm:secret-name)
    • Azure Key Vault (azure-kv:vault/secret)
  3. Terraform state - secrets will be in state, recommend encrypted backend
  4. Documentation - clear warnings about state file security

Terraform Resources

  • github_actions_organization_secret
  • github_actions_secret
  • github_dependabot_organization_secret
  • github_dependabot_secret

Tasks

  • Design secrets schema with source abstraction
  • Implement Terraform module for secrets
  • Add support for organization-level secrets
  • Add support for repository-level secrets
  • Add support for Dependabot secrets
  • Document security best practices
  • Add examples with different secret sources

Security Warning

This feature requires careful implementation to avoid exposing secrets. Clear documentation about:

  • State file encryption
  • CI/CD secret handling
  • Audit logging

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions