[bapak]

Secrets gotta live somewhere. Are you supplying them every time you deploy or run CI?

[larntz]

Yes. Either via a secret manager (eg vault) or configured as repo secrets if that kind of infra isn't available.

https://docs.github.com/en/actions/how-tos/security-for-gith...

Never commit secrets for any reason.

[bapak]

Repo secrets are just stored on someone's computer and they obviously have the keys. This is what I mean.

Same for your vault. The vault might be encrypted, but at some point you have to give the keys to the vault.

Your secrets are not safe from someone if someone needs them to run your code.

[larntz]

> Your secrets are not safe from someone if someone needs them to run your code.

This is true. I don't disagree with that or you're assessment of repo secrets.

My comment was in the context of the grandparent committing secrets to a private repo which is a bad practice (regardless of visibility). You could do that for tests, sure (I would suggestion creating random secrets for each test when you can), but then you're creating a bad habit. If you can't use random secrets for tests repo secrets would be acceptable, but I wouldn't use them beyond that.

For CI and deploys I would opt for some kind of secret manager. CI can be run on your own infrastructure, secret managers can be run on your own infrastructure, etc...

But somewhere in the stack secret(s) will be exposed to _someone_.

[cess11]

I'm not telling you what you should or should not do, especially not in the abstract. I commented on the deceptive terminology employed by a very large corporation with deep connections to rather distasteful activities and organisations.

[UltraSane]

I like to encrypt secrets with a master secret stored in a TPM. This makes it impossible to accidentally leak the secret.