Automated key management system with "find, store, inject, forget" workflow

[Copilot]

Implements secure automated key management for API keys and secrets across applications. The system discovers required environment variables, stores them in GitHub Secrets, injects them into deployment configurations, and clears sensitive data from memory.

Core Components

• Configuration (key-manager.config.json): Defines 13 environment variables with validation patterns and injection targets
• Key Manager Script (scripts/key-manager.ts): TypeScript implementation with GitHub Secrets API integration, extensible external source fetching, and secure memory clearing
• GitHub Workflow (.github/workflows/key-manager.yml): Reusable workflow with workflow_call trigger for CI/CD integration

Usage

Command line:

cd scripts
bunx tsx key-manager.ts check    # Audit existing keys
bunx tsx key-manager.ts scan     # Full workflow
bunx tsx key-manager.ts inject   # Inject from environment

GitHub Actions:

jobs:
  manage-keys:
    uses: ./.github/workflows/key-manager.yml
    secrets: inherit
    with:
      command: 'scan'
      dry_run: false

Key Features

• Automatic discovery of required environment variables from configuration
• GitHub Secrets API integration with automatic masking
• Extensible external source fetching (uses KEYFINDER_SECRET for authentication)
• .env file injection with template support
• Memory clearing after processing to prevent leakage
• Three commands: scan (full workflow), check (audit only), inject (deployment)

Security

• All key values masked in logs via GitHub Secrets
• Sensitive data overwritten and cleared from memory after use
• Pattern validation for key formats (e.g., ^postgresql:// for DATABASE_URL)
• Limited access via GitHub permissions

Configuration Example

{
  "requiredKeys": [
    {
      "name": "DATABASE_URL",
      "description": "PostgreSQL database connection string",
      "pattern": "^postgresql://",
      "required": true,
      "inject": [".env", "docker-compose"]
    }
  ],
  "externalSources": [
    {
      "name": "keyfinder",
      "type": "api",
      "authSecret": "KEYFINDER_SECRET",
      "endpoint": "https://api.keyfinder.example/v1/keys"
    }
  ]
}

Documentation

Five documentation files provide complete reference:

• KEY_MANAGEMENT_QUICKSTART.md - 5-minute setup guide
• KEY_MANAGEMENT.md - Complete system reference
• KEY_MANAGEMENT_EXAMPLES.md - CI/CD integration patterns
• KEY_MANAGEMENT_INTEGRATION.md - Real-world workflow examples
• KEY_MANAGEMENT_SUMMARY.md - Technical implementation details

Testing

Unit tests validate configuration schema, pattern validation, and essential keys presence. Test infrastructure uses vitest.

Extensibility

The system supports:

• Custom external key sources via configuration
• Additional file format injection (YAML placeholder included)
• Environment-specific secrets (e.g., STAGING_*, PROD_*)
• Multi-repository deployment via workflow_call

Original prompt

Automated Key Management System

Build an automated key management system that securely handles API keys across all applications with a "find, store, inject, forget" workflow.

Core Requirements

1. Key Discovery & Retrieval

• Scan application code to identify required API keys/secrets based on environment variable usage
• Check if keys exist in GitHub repository secrets first
• If keys are missing, attempt to fetch them from external sources using the keyfinder secret for authentication
• Support common key sources: environment variable patterns, .env.example files, configuration files

2. Secure Storage

• Store discovered keys in GitHub repository secrets automatically
• Inject keys into applications at the proper locations (environment variables, config files)
• Never log or expose actual key values in build outputs
• Clear sensitive data from memory after processing

3. Automation & Deployment Integration

• Create a reusable GitHub Action workflow that runs at the end of builds
• Should be triggered before deployment steps
• Should work across multiple repositories (can be called from other repos)
• Only the user (al7566) and this system should have access to actual key values

4. Memory Management

• After storing keys, erase the actual values from workflow memory
• Only retain metadata about key locations and names
• Keys should only be accessible when properly needed during deployment

Implementation Details

GitHub Action Workflow

Create .github/workflows/key-manager.yml that:

• Triggers on workflow_call (reusable) and can be invoked at end of builds
• Uses the keyfinder secret from repository secrets for authentication
• Scans the application for required keys
• Checks GitHub secrets for existing keys
• Fetches missing keys (placeholder logic for external sources - can be extended)
• Updates repository secrets via GitHub API
• Injects keys into build artifacts or deployment configuration
• Clears sensitive values after processing

Key Management Script

Create scripts/key-manager.js or scripts/key-manager.ts that:

• Parses application code to find required environment variables
• Identifies missing keys
• Formats keys for GitHub secrets API
• Handles key injection into various formats (.env, docker-compose, etc.)
• Implements secure memory clearing

Security Considerations

• Use GitHub's secrets masking features
• Implement proper error handling without exposing key values
• Validate key formats before storage
• Support key rotation workflows
• Log operations without logging sensitive data

Expected Behavior

1. During Build: Workflow scans app → identifies needed keys → checks secrets
2. If Key Missing: Uses keyfinder to authenticate and fetch key from external source
3. Storage: Adds key to GitHub secrets if not already there
4. Injection: Places key in proper location for app to use
5. Cleanup: Erases key value from workflow memory, retains only location metadata
6. Reuse: Next time, finds key in secrets instead of fetching again

Configuration

• The keyfinder secret should be available in repository secrets
• Support configuration file (e.g., key-manager.config.json) to specify:
  • Which keys are required for the application
  • Where keys should be injected
  • External sources to check (extensible)

Documentation

Include README documentation explaining:

• How to use the key management system in new projects
• How to configure it for different app types
• Security best practices
• Troubleshooting common issues

This system should work as a core functionality that can be integrated into any new app deployment process.

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[al7566]

@copilot {
"requiredKeys": [
{
"name": "DATABASE_URL",
"description": "PostgreSQL database connection string",
"pattern": "^postgresql://",
"required": true,
"inject": [".env", "docker-compose"]
}
],
"externalSources": [
{
"name": "keyfinder",
"type": "api",
"authSecret": "KEYFINDER_SECRET",
"endpoint": "https://api.keyfinder.example/v1/keys"
}
]
}jobs:
manage-keys:
uses: ./.github/workflows/key-manager.yml
secrets: inherit
with:
command: 'scan'
dry_run: falsecd scripts
bunx tsx key-manager.ts check # Audit existing keys
bunx tsx key-manager.ts scan # Full workflow
bunx tsx key-manager.ts inject # Inject from environment