Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

winget: switch to using an Azure KeyVault #702

Merged
merged 1 commit into from
Oct 28, 2024

Conversation

dscho
Copy link
Member

@dscho dscho commented Oct 28, 2024

Instead of storing the Personal Access Token in an environment secret, store it in Azure KeyVault instead. This allows for much better auditing when (and where) the secret is used.

Ideally, we would even switch away from using a Personal Access Token in the first place. But there is no alternative, such as a Managed Identity on GitHub, where one could define in a fine-grained way which usage scenario can be performed using that identity, and recent reorgs at GitHub suggest that adding such an alternative may not be on the list of priorities at all.

So let's just stay with a Personal Access Token, but do safeguard it better by putting it into a KeyVault that can only be accessed by a narrowly-scoped GitHub Actions environment.

Instead of storing the Personal Access Token in an environment secret,
store it in Azure KeyVault instead. This allows for much better auditing
when (and where) the secret is used.

Ideally, we would even switch away from using a Personal Access Token in
the first place. But there is no alternative, such as a Managed Identity
on GitHub, where one could define in a fine-grained way which usage
scenario can be performed using that identity, and recent reorgs at
GitHub suggest that adding such an alternative may not be on the list of
priorities at all.

So let's just stay with a Personal Access Token, but do safeguard it
better by putting it into a KeyVault that can only be accessed by a
narrowly-scoped GitHub Actions environment.

Signed-off-by: Johannes Schindelin <[email protected]>
@dscho dscho self-assigned this Oct 28, 2024
@dscho dscho merged commit cde0eef into microsoft:vfs-2.47.0 Oct 28, 2024
49 checks passed
@dscho dscho deleted the use-keyvault-in-winget-workflow branch October 28, 2024 14:40
dscho added a commit that referenced this pull request Oct 29, 2024
This is a companion to #702: Instead of storing the token used for the
Homebrew release workflow, let's retrieve it from the Key Vault that
already is used to store such information.
mjcheetham pushed a commit that referenced this pull request Dec 3, 2024
Instead of storing the Personal Access Token in an environment secret,
store it in Azure KeyVault instead. This allows for much better auditing
when (and where) the secret is used.

Ideally, we would even switch away from using a Personal Access Token in
the first place. But there is no alternative, such as a Managed Identity
on GitHub, where one could define in a fine-grained way which usage
scenario can be performed using that identity, and recent reorgs at
GitHub suggest that adding such an alternative may not be on the list of
priorities at all.

So let's just stay with a Personal Access Token, but do safeguard it
better by putting it into a KeyVault that can only be accessed by a
narrowly-scoped GitHub Actions environment.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants