Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

homebrew: switch to using an Azure Key Vault secret #703

Merged
merged 2 commits into from
Oct 29, 2024

Conversation

dscho
Copy link
Member

@dscho dscho commented Oct 28, 2024

This is a companion to #702: Instead of storing the token used for the Homebrew release workflow, let's retrieve it from the Key Vault that already is used to store such information.

Instead of storing the Personal Access Token in an environment secret,
store it in Azure KeyVault instead. This allows for much better auditing
when (and where) the secret is used.

Ideally, we would even switch away from using a Personal Access Token in
the first place. But there is no alternative, such as a Managed Identity
on GitHub, where one could define in a fine-grained way which usage
scenario can be performed using that identity, and recent reorgs at
GitHub suggest that adding such an alternative may not be on the list of
priorities at all.

So let's just stay with a Personal Access Token, but do safeguard it
better by putting it into a KeyVault that can only be accessed by a
narrowly-scoped GitHub Actions environment.

Signed-off-by: Johannes Schindelin <[email protected]>
fixup! Adding winget workflows

Instead of storing the Personal Access Token in an environment secret,
store it in Azure KeyVault instead. This allows for much better auditing
when (and where) the secret is used.

Ideally, we would even switch away from using a Personal Access Token in
the first place. But there is no alternative, such as a Managed Identity
on GitHub, where one could define in a fine-grained way which usage
scenario can be performed using that identity, and recent reorgs at
GitHub suggest that adding such an alternative may not be on the list of
priorities at all.

So let's just stay with a Personal Access Token, but do safeguard it
better by putting it into a KeyVault that can only be accessed by a
narrowly-scoped GitHub Actions environment.

Signed-off-by: Johannes Schindelin <[email protected]>
@dscho dscho self-assigned this Oct 28, 2024
@dscho
Copy link
Member Author

dscho commented Oct 28, 2024

(While at it, I also amend the commit message of the commit contained in #702 to turn it into a fixup!, which I missed before merging.)

@dscho dscho merged commit 90d5460 into microsoft:vfs-2.47.0 Oct 29, 2024
49 checks passed
@dscho dscho deleted the use-keyvault-in-homebrew-workflow branch October 29, 2024 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants