Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: move sensitive workflows to separate environment #1290

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

gosuto-inzasheru
Copy link
Collaborator

first step in a multilevel security setup for extra sensitive secrets

closes #1288

this merge requires the now repo level secret KEEPER_PRIVATE_WORDS to be moved the the "sensitive" environment secret KEEPER_PRIVATE_WORDS. this will prevent it being accessible in any of the other environments (both "internal" and "external")

@Tritium-VLK
Copy link
Member

Won't this break the poker?

@gosuto-inzasheru
Copy link
Collaborator Author

break it how?

@Tritium-VLK
Copy link
Member

Ahh I missed the environment: sensitive. Then it will break the autovoter loader. Let's just take a minute and do an inventory of everywhere this is used (ask everyone), make a checklist, and make sure it is all handled before rolling it out in prod.

In the end we probably want a different key for voting/delegation. Maybe getting that established is part of this.

@gosuto-inzasheru
Copy link
Collaborator Author

how will it break the autovoter loader?

@Tritium-VLK
Copy link
Member

No one has the current key. It's only in github. So in order to move the currently named secret to the org, a new key will have to be generated. Now that I understand this better after our call last week.

Here are the issues I am concerned about.

1: If we change the production key, we have to ensure that the upkeeps it is poking have it as the keeper, and we have to ensure that this address is delegated to load transactions on the omnichain safe on mainnet (which now has 6 figures of BAL in it).

2: If we have production keys in a test environment, it becomes as important to audit/review everything that runs here before it runs/have good branch protection/etc. That makes it harder to work with.

So 2 suggestions:

1: Create an org level secret of the same name with a different key and not export it to msig ops.
2: create a set of TEST_ org level secrets and expose those to dev/test environments. This could even include permissions to load on a test safe/etc.

@gosuto-inzasheru gosuto-inzasheru marked this pull request as draft September 3, 2024 12:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ci: move sensitive workflows to its own env
2 participants