Navigating the complexities of managing projects, especially those inherited with little documentation on API keys and secrets, presents a formidable challenge. My journey began with an urgent need to identify and securely document the secrets dispersed across repositories—a challenge compounded by frequent personnel changes and a lack of previous accountability. To tackle these issues and avert potential downtime risks associated with indiscriminately replacing tokens, I devised two GitHub Actions:
Initially born out of necessity, these tools have evolved to assist developers facing similar challenges more broadly.
Download Secret Text
(Encrypted Documentation & Secure Sharing)
Download Secret Text offers a secure method for encrypting and documenting sensitive information. By using a GPG public key for encryption, it enables the safe sharing of secrets among team members or for archival purposes. This action stands as a testament to the critical importance of maintaining the confidentiality and integrity of project secrets.
Using the action is quite intuitive:
steps:
- uses: vosos/download-secret-text@v1
with:
gpg_public_key: ${{ vars.GPG_PUBLIC_KEY }}
# gpg_public_key: ${{ secrets.GPG_PUBLIC_KEY }}
plain_text: |
SOME_API_KEY=${{ secrets.SOME_API_KEY }}
FYE_SECRET_ONE=${{ secrets.FYE_SECRET_ONE }}
FYE_SECRET_TWO=${{ secrets.FYE_SECRET_TWO }}
SOME_TOKEN=${{ secrets.SOME_TOKEN }}
such a step in your workflow
will produce this kind of result in your run summary
:
For setting up a GPG key pair, GitHub’s own TUTORIAL provides an excellent starting point. The tutorial walks you through generating the necessary public and private keys—the former for this action and the latter, combined with your passphrase, for decryption.
Mystery Token Explorer
(Shedding Light on the Shadows)
Mystery Token Explorer illuminates the obscured tokens within a project by leveraging the GitHub API to fetch information about their ownership. This insight is invaluable for developers tasked with navigating projects riddled with undocumented secrets. Plans for future enhancements include expanding the use of the GitHub API to uncover additional token details (I’ll get around to this soon—meanwhile, contributions via PRs and issues are encouraged).
Using this action is also intuitive:
- name: Identify GitHub User
uses: vosos/mystery-token-explorer@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
jq_filter: '{name: .name, login: .login, id: .id}'
such a step in your workflow
will produce this kind of result in your run summary
:
Bridging GitHub’s Secret Management Gap
GitHub’s “write-only” policy for secrets safeguards security by preventing direct viewing or retrieval post-addition. Download Secret Text cleverly circumvents this limitation, providing a “read” capability akin to GitLab’s more flexible secret management approach. This functionality is particularly beneficial for teams migrating to GitHub or managing projects across different platforms, offering a unified and secure secret management solution.
Expanding Utility Beyond Initial Needs
Though these GitHub Actions were created to ease project transitions, their utility extends into broader contexts:
Streamlining Security Audits & CI/CD Pipelines
Incorporating Mystery Token Explorer into security audits or CI/CD pipelines facilitates the automated identification and cataloging of tokens. Used alongside Download Secret Text, it ensures secure updates to secrets, minimizing exposure risks and maintaining uninterrupted operations.
Advancing Secure Documentation Practices
Download Secret Text is invaluable for teams committed to securely documenting their infrastructure, ensuring sensitive details remain accessible only to those authorized.
In Closing
Inheriting projects laden with undocumented secrets need not be overwhelming. Mystery Token Explorer and Download Secret Text equip developers with robust tools for discovering, understanding, and securely managing digital secrets. These GitHub Actions smooth project transitions and bolster security and operational efficiency, demonstrating a proactive secret management strategy that maximizes GitHub’s strengths while mitigating its constraints. As these tools progress, they highlight the potential for community-driven enhancements to forge more secure and efficient development workflows.