dotnet
Rotate the github secret for the Maestro GitHub apps
To resolve #3238, the github secret needs to be rotated in our infrastructure.
Since the secret is of a GitHub App type, only people with JIT access to the dotnet org can do it.
Release Note Category
- [ ] Feature changes/additions
- [x] Bug fixes
- [ ] Internal Infrastructure Improvements
Release Note Description
Rotated the github secret as follows:
- Elevated rights (JIT) for the dotnet org
- Renewed the github secrets defined in the
arcade-servicesrepo by:
.\.dotnet\dotnet.exe secret-manager synchronize --skip-untracked .\.vault-config\maestroint.yaml
.\.dotnet\dotnet.exe secret-manager synchronize --skip-untracked --force-secret github .\.vault-config\maestrolocal.yaml
.\.dotnet\dotnet.exe secret-manager synchronize --skip-untracked --force-secret github .\.vault-config\maestroprod.yaml
Validated by triggering subscription for arcade to arcade-services.
darc trigger-subscriptions --ids a3e4e495-e424-4274-a65b-08dbe6b87e03
Also triggered a dotnet-arcade-services-weekly pipeline run to validate and rotate the remaining secrets.
Followup for fixing incorrect links in secrets manager: https://github.com/dotnet/dnceng/issues/1913
Waiting for the arcade-services rollout to be sure. After that, delete the old certificate and client tokens from the int, local and prod maestro GH apps.
Yes, I just want to wait a bity more time till all the urgent operations things settle down. I believe the risk is very low, but still, there's no urgency with this so let's wait a week or two yet.
JITted for the dotnet org, went tohttps://github.com/organizations/dotnet/settings/apps/dotnet-maestro and removed client secret created by mmitche and used 5 months ago.
I'm leaving the private key created by @mmitche on Dec 16, 2021 there as I'm not sure about it's usage.
@mmitche - me and @premun think that this private key can be removed as well, but want to get this double-checked by you. Thanks!
@premun - assigning this to you to check with Matt on the above and close this.