How to protect secrets whilst enabling the ability to amend a pipeline

I’m writing a CI pipeline using GitHub Actions.

The pipeline will build a Docker image, which it will then push to our Docker repository (AWS ECR).

In order to talk to ECR, we’ll need to provide a secret (and some other details).

That secret we’ll be pulling from Hashicorp Vault… though that itself requires a secret in order to access it, so to some extent we’re just offsetting the problem.

The pipeline’s code is in the same repository as the code for which it is run (to which our developers have access); though we can hold some actions called by this code in a separate repository (to which only our DevOps team have access) if needed.

Whilst we trust our developers, it’s generally good practice to keep things locked down where possible. As such, is there any way we can set things up such that developers can amend the pipeline without being able to (deliberately or otherwise) expose these secrets? Are there any best practices around this sort of thing?

Go to Source
Author: JohnLBevan