DEV Community

Cover image for GitHub Actions for Secret Management
Viorel PETCU
Viorel PETCU

Posted on

GitHub Actions for Secret Management

Navigating the complexities of managing projects, especially those inherited with little documentation on API keys and secrets, presents a formidable challenge. My journey began with an urgent need to identify and securely document the secrets dispersed across repositories—a challenge compounded by frequent personnel changes and a lack of previous accountability. To tackle these issues and avert potential downtime risks associated with indiscriminately replacing tokens, I devised two GitHub Actions:

  1. Download Secret Text
  2. Mystery Token Explorer

Initially born out of necessity, these tools have evolved to assist developers facing similar challenges more broadly.

Download Secret Text

(Encrypted Documentation & Secure Sharing)

Download Secret Text offers a secure method for encrypting and documenting sensitive information. By using a GPG public key for encryption, it enables the safe sharing of secrets among team members or for archival purposes. This action stands as a testament to the critical importance of maintaining the confidentiality and integrity of project secrets.

Using the action is quite intuitive:

    steps:
    - uses: vosos/download-secret-text@v1
      with:
        gpg_public_key: ${{ vars.GPG_PUBLIC_KEY }}
      # gpg_public_key: ${{ secrets.GPG_PUBLIC_KEY }}
        plain_text: |
            SOME_API_KEY=${{ secrets.SOME_API_KEY }}
            FYE_SECRET_ONE=${{ secrets.FYE_SECRET_ONE }}
            FYE_SECRET_TWO=${{ secrets.FYE_SECRET_TWO }}
            SOME_TOKEN=${{ secrets.SOME_TOKEN }}
Enter fullscreen mode Exit fullscreen mode

such a step in your workflow will produce this kind of result in your run summary:

artifact download example

For setting up a GPG key pair, GitHub's own TUTORIAL provides an excellent starting point. The tutorial walks you through generating the necessary public and private keys—the former for this action and the latter, combined with your passphrase, for decryption.

Mystery Token Explorer

(Shedding Light on the Shadows)

Mystery Token Explorer illuminates the obscured tokens within a project by leveraging the GitHub API to fetch information about their ownership. This insight is invaluable for developers tasked with navigating projects riddled with undocumented secrets. Plans for future enhancements include expanding the use of the GitHub API to uncover additional token details (I'll get around to this soon—meanwhile, contributions via PRs and issues are encouraged).

Using this action is also intuitive:

    - name: Identify GitHub User
      uses: vosos/mystery-token-explorer@v1
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        jq_filter: '{name: .name, login: .login, id: .id}'
Enter fullscreen mode Exit fullscreen mode

such a step in your workflow will produce this kind of result in your run summary:

results are visible on summary

Bridging GitHub's Secret Management Gap

Missing something?

GitHub's "write-only" policy for secrets safeguards security by preventing direct viewing or retrieval post-addition. Download Secret Text cleverly circumvents this limitation, providing a "read" capability akin to GitLab's more flexible secret management approach. This functionality is particularly beneficial for teams migrating to GitHub or managing projects across different platforms, offering a unified and secure secret management solution.

Expanding Utility Beyond Initial Needs

Though these GitHub Actions were created to ease project transitions, their utility extends into broader contexts:

Streamlining Security Audits & CI/CD Pipelines

Incorporating Mystery Token Explorer into security audits or CI/CD pipelines facilitates the automated identification and cataloging of tokens. Used alongside Download Secret Text, it ensures secure updates to secrets, minimizing exposure risks and maintaining uninterrupted operations.

Advancing Secure Documentation Practices

Download Secret Text is invaluable for teams committed to securely documenting their infrastructure, ensuring sensitive details remain accessible only to those authorized.

In Closing

Inheriting projects laden with undocumented secrets need not be overwhelming. Mystery Token Explorer and Download Secret Text equip developers with robust tools for discovering, understanding, and securely managing digital secrets. These GitHub Actions smooth project transitions and bolster security and operational efficiency, demonstrating a proactive secret management strategy that maximizes GitHub's strengths while mitigating its constraints. As these tools progress, they highlight the potential for community-driven enhancements to forge more secure and efficient development workflows.

Top comments (0)