maplibre-native icon indicating copy to clipboard operation
maplibre-native copied to clipboard

Published 20 hours ago verified publisher icon maplibre

Secrets documentation

Open wipfli opened this issue 2 years ago • 4 comments

MapLibre GL Native has 14 GitHub secrets. Are these documented somewhere?

wipfli avatar Jun 08 '22 14:06 wipfli

Who is CR? I see that we use their personal access token in the android ci workflow...

https://github.com/maplibre/maplibre-gl-native/blob/ca5810f61fde26d0fbccbe4d48d4c771d02e460f/.github/workflows/android-ci.yml#L43-L45

wipfli avatar Jun 23 '22 18:06 wipfli

The graddle config might be related to

https://github.com/maplibre/maplibre-gl-native/blob/5b3d936521040149e343f81ed4bd2ce24b75e690/platform/android/scripts/create-signing-key.sh#L13-L17

wipfli avatar Jul 05 '22 08:07 wipfli

At the moment we have these github secrets: image

wipfli avatar Jul 12 '22 18:07 wipfli

@petr-pokorny-1 and @roblabs do you have any insights about how these secrets are managed?

wipfli avatar Jul 12 '22 18:07 wipfli

Lets store all the secrets as clear text in our password manager...

Is in password manager?

  • [ ] BINTRAY_API_KEY
  • [ ] BINTRAY_USER
  • [x] CR_PAT (GitHub container registry personal access token for Android builds)
  • [ ] DIST_GITHUB_TOKEN
  • [ ] GLCLOUD_SERVICE_JSON
  • [ ] GPG_KEY_CONTENTS
  • [ ] GPG_PASSPHRASE
  • [ ] MAPBOX_DEVELOPER_CONFIG_XML
  • [ ] MAPLIBRE_DEVELOPER_CONFIG_XML
  • [ ] NODE_PRE_GYP_GITHUB_TOKEN
  • [x] OSSRH_PASSWORD (probably the password for https://s01.oss.sonatype.org/#welcome)
  • [x] OSSRH_USERNAME (probably the username for https://s01.oss.sonatype.org/#welcome)
  • [x] SIGNING_KEY_ID
  • [x] SIGNING_PASSWORD
  • [x] SONATYPE_STAGING_PROFILE_ID

wipfli avatar Dec 10 '22 08:12 wipfli

Since CR_PAT is used in the container section here:

https://github.com/maplibre/maplibre-gl-native/blob/73973703426ebf11c3c6bea60857644c44d7b5e5/.github/workflows/android-release.yml#L12-L16

It might be that the abbreviation stands for "Container Registry Personal Access Token"...

wipfli avatar Dec 10 '22 17:12 wipfli

If no-one knows what MAPLIBRE_DEVELOPER_CONFIG_XML is I will remove it from the CI.

Android CI is failing because of it now.

louwers avatar Jan 26 '23 21:01 louwers

It's also possible to get the plain text of a secret with a hack: https://stackoverflow.com/questions/63003669/how-can-i-see-my-git-secrets-unencrypted

louwers avatar Jan 26 '23 21:01 louwers

Indeed we should have a strategy for this. We should decide where we store the secrets and how do we make them available. If there is anyone that has an in depth overview/knowledge about this, in MapLibre context, I'd love to setup a short call with.

ovivoda avatar Jan 28 '23 07:01 ovivoda

We store the secrets in a password manager where the Governing Board has access. What the secrets are doing or used for should be documented in the places close to where they are used, i.e., in MapLibre GL JS and Native for the things related to CI. And in maplibre/maplibre for the things unrelated to a repo. Some things in the password manager like the zoom password are also self-explaining...

wipfli avatar Jan 28 '23 08:01 wipfli

@wipfli alright then we need to understand how can we automate this. IE: How can we can ensure security while trying to still access those secrets, for the ones that are really needed. So my suggestion is to make a list of all secrets used in codebase + CI then tackle each one individually. cc @louwers

ovivoda avatar Jan 28 '23 11:01 ovivoda