ER: how to enable people to share secrets

[ExperimentsInHonesty]

Emergent Requirement - Problem

We need to write to Eric and ask him more about not being able to store secrets and where has he stored them in the meantime. I already checked

Issue you discovered this emergent requirement in

• #Find or create a reliable Docker image for HFLA Website team #28 and specifically on this comment Find or create a reliable Docker image for HFLA Website team #28 (comment)

Date discovered

2023-04-04

Did you have to do something temporarily

• YES
• NO

Who was involved

@ericvennemeyer @ExperimentsInHonesty @JasonEb

What happens if this is not addressed

We hit the problem again, or possibly the secrets are currently being stored in some suboptimal place

Notes

Where was Eric trying to add the secrets? Which repo?
The ghpages-docker repo is managed by the ops team, so anyone who is on the github.com/orgs/hackforla/teams/ops-admin has access anyone who is not, does not.

Resources

• GitHub help file about secrets: https://docs.github.com/en/actions/security-guides/encrypted-secrets
• Docker Repo
  • HfLA docker repo: https://github.com/hackforla/ghpages-docker
  • HfLA docker wiki: https://github.com/hackforla/ghpages-docker/wiki
  • HfLA docker repo files that contain the word secret
  • https://github.com/hackforla/ghpages-docker/blob/main/.github/workflows/notify-failed-build.yml#L23
  • https://github.com/hackforla/ghpages-docker/blob/main/.github/workflows/build-and-push-to-docker-hub.yml#L25
• Team permissions
  • Ops: https://github.com/orgs/hackforla/teams/ops-admin
    • Ops repos: https://github.com/orgs/hackforla/teams/ops-admin/repositories
• HfLA Guide issues related to secrets
  • Create a Guide/Template: Preventing Secrets & Credentials Leaks in GitHub knowledgebase-content#69

Recommended Action Items

• Make a new issue
• Discuss with team
• Let a Team Lead know

Potential solutions [draft]

[ExperimentsInHonesty]

I created this ER issue to socialize something we are doing on the website team that I want to demo here, and because we need to work on the items contained in it. @JasonEb please add this to the agenda.

[ExperimentsInHonesty]

Sent Eric a message on slack 2023-06-21
I made an issue to talk about github secrets. Let Jason know when to add that to the agenda, so we I can demo it for you #73

[ericvennemeyer]

@ExperimentsInHonesty @JasonEb I reviewed the pertinent issue (#28) and I think I'm back up to speed. At the time the comments in question were created, I wanted to add login info for both the hackforlaops/ghpages Docker Hub registry and the @danielridgebot account to our ghpages-docker repo as secrets, so they wouldn't accidentally be exposed.

If I remember correctly, I had originally requested admin privileges in hackforla/ops so I could do this myself. I believe those were initially granted, then quickly revoked in the interest of limiting the number of users with admin access. However, GitHub sent me an email notification of Jason's original comment after I was made an admin, and this comment from me was in response to that email. When my admin access was revoked, I think Jason deleted his original comment, which might be why my response appears chronologically out of order.

At any rate, Jason ultimately added the secrets I had requested to the ghpages-docker repo himself and notified me when they had been entered. (See this comment as an example.)

So, in a nutshell, the only trouble I had in creating repo secrets was that I did not have admin privileges in hackforla/ops, and the workaround was to have Jason create them for me. Those secrets should still exist in the ghpages-docker repo, and there were no loose ends as far as I know.

Hopefully that helps. I am still happy to attend the Ops meeting next week to discuss.