Automated Key Management System

Build an automated key management system that securely handles API keys across all applications with a "find, store, inject, forget" workflow.

Core Requirements

1. Key Discovery & Retrieval

• Scan application code to identify required API keys/secrets based on environment variable usage
• Check if keys exist in GitHub repository secrets first
• If keys are missing, attempt to fetch them from external sources using the keyfinder secret for authentication
• Support common key sources: environment variable patterns, .env.example files, configuration files

2. Secure Storage

• Store discovered keys in GitHub repository secrets automatically
• Inject keys into applications at the proper locations (environment variables, config files)
• Never log or expose actual key values in build outputs
• Clear sensitive data from memory after processing

3. Automation & Deployment Integration

• Create a reusable GitHub Action workflow that runs at the end of builds
• Should be triggered before deployment steps
• Should work across multiple repositories (can be called from other repos)
• Only the user (al7566) and this system should have access to actual key values

4. Memory Management

• After storing keys, erase the actual values from workflow memory
• Only retain metadata about key locations and names
• Keys should only be accessible when properly needed during deployment

Implementation Details

GitHub Action Workflow

Create .github/workflows/key-manager.yml that:

• Triggers on workflow_call (reusable) and can be invoked at end of builds
• Uses the keyfinder secret from repository secrets for authentication
• Scans the application for required keys
• Checks GitHub secrets for existing keys
• Fetches missing keys (placeholder logic for external sources - can be extended)
• Updates repository secrets via GitHub API
• Injects keys into build artifacts or deployment configuration
• Clears sensitive values after processing

Key Management Script

Create scripts/key-manager.js or scripts/key-manager.ts that:

• Parses application code to find required environment variables
• Identifies missing keys
• Formats keys for GitHub secrets API
• Handles key injection into various formats (.env, docker-compose, etc.)
• Implements secure memory clearing

Security Considerations

• Use GitHub's secrets masking features
• Implement proper error handling without exposing key values
• Validate key formats before storage
• Support key rotation workflows
• Log operations without logging sensitive data

Expected Behavior

1. During Build: Workflow scans app → identifies needed keys → checks secrets
2. If Key Missing: Uses keyfinder to authenticate and fetch key from external source
3. Storage: Adds key to GitHub secrets if not already there
4. Injection: Places key in proper location for app to use
5. Cleanup: Erases key value from workflow memory, retains only location metadata
6. Reuse: Next time, finds key in secrets instead of fetching again

Configuration

• The keyfinder secret should be available in repository secrets
• Support configuration file (e.g., key-manager.config.json) to specify:
  • Which keys are required for the application
  • Where keys should be injected
  • External sources to check (extensible)

Documentation

Include README documentation explaining:

• How to use the key management system in new projects
• How to configure it for different app types
• Security best practices
• Troubleshooting common issues

This system should work as a core functionality that can be integrated into any new app deployment process.