You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
tighten CI secret scope and move AWS config to environment vars (#14627)
* Add `environment: release` to the "publish-to-hex" job so that only
workflows explicitly targeting the release environment can read
sensitive values.
* Gate the job behind `if: ${{ vars.HEX_AWS_REGION }}` to avoid noisy
failures in forks where the variable is not configured.
* Replace `${{ secrets.HEX_AWS_REGION }}` / `${{ secrets.HEX_AWS_S3_BUCKET }}`
references with `${{ vars.* }}`. These are not credentials, so
environment-level *variables* are a better fit and keep them readable
only by jobs that declare the environment.
* Remove Fastly secrets from the job-wide `env:` block and inject them
only into the Fastly purge step, following the principle of least
privilege. Other steps no longer see these tokens.
Restricting secret visibility to an environment and to the exact step
that needs them reduces the blast radius of a compromised workflow run,
blocks accidental exposure in logs of unrelated steps, and stops forks
from obtaining privileged data.
0 commit comments