You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use a different GitHub Access Token to manage GitHub with Terraform from a GitHub Token for CI
Generate GitHub Access Tokens from GitHub Apps for each working directory
Support setting repositories and permissions when creating GitHub Access tokens from GitHub Apps
Get GitHub App IDs and private keys from AWS Secrets Manager and Google Secret Manager
Don't output secrets as environment variables to GITHUB_ENV. Expose secrets to only steps which execute Terraform
Use a different GitHub Access Token to manage GitHub with Terraform from a GitHub Token for CI
Permissions and repositories to manage GitHub with Terraform is different from those for CI.
To limit permissions and repositories properly, we should use a different GitHub Access Token to manage GitHub with Terraform from a GitHub Token for CI.
Manage secrets with Secret Manager like AWS Secrets Manager rather than GitHub Secrets
Users should not use export-secrets. We should provide more secure ways.
Don't output secrets as environment variables to GITHUB_ENV. Expose secrets to only steps which execute Terraform
Actions export-secrets and export-aws-secrets-manager output secrets to environment variables, so all subsequent steps can access those secrets. This is not secure.
Why is the feature needed?
To improve the security.
Does the feature include Breaking Changes?
Maybe.
Example Code
The text was updated successfully, but these errors were encountered:
Feature Overview
tfaction provides the feature about the secret management.
https://suzuki-shunsuke.github.io/tfaction/docs/config/secret/
But I think there is rooms to improve the secret management in terms of security.
repositoriesandpermissionswhen creating GitHub Access tokens from GitHub AppsGITHUB_ENV. Expose secrets to only steps which execute TerraformUse a different GitHub Access Token to manage GitHub with Terraform from a GitHub Token for CI
Permissions and repositories to manage GitHub with Terraform is different from those for CI.
To limit permissions and repositories properly, we should use a different GitHub Access Token to manage GitHub with Terraform from a GitHub Token for CI.
Manage secrets with Secret Manager like AWS Secrets Manager rather than GitHub Secrets
https://dev.to/suzukishunsuke/secure-github-actions-by-pullrequesttarget-641#secret-management
Users should not use
export-secrets. We should provide more secure ways.Don't output secrets as environment variables to
GITHUB_ENV. Expose secrets to only steps which execute TerraformActions export-secrets and export-aws-secrets-manager output secrets to environment variables, so all subsequent steps can access those secrets. This is not secure.
Why is the feature needed?
To improve the security.
Does the feature include Breaking Changes?
Maybe.
Example Code
The text was updated successfully, but these errors were encountered: