Skip to content

chore: Use a protected env for upgrade workflow #438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 3, 2025
Merged

chore: Use a protected env for upgrade workflow #438

merged 1 commit into from
Jun 3, 2025

Conversation

lym953
Copy link
Contributor

@lym953 lym953 commented Jun 3, 2025
edited
Loading

What does this PR do?

Make the dependency upgrade workflow upgrade.yml use an environment protected-main-env.

Motivation

Right now the secrets for the GitHub App (GH_APP_ID and GH_APP_PRIVATE_KEY) are repo secrets, which can be made more secure by changing to environment secrets following this guide: https://datadoghq.atlassian.net/wiki/spaces/SECENG/pages/3034155880/Guide+How+to+Secure+Your+GitHub+Repositories#Secret-management

Before this PR, I just created an environment protected-main-env that has the two secrets. After this PR is merged, I will remove the two repo secrets.

Testing Guidelines

To test after merging this PR because the workflow can only run on main.

Additional Notes

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog

Jira: https://datadoghq.atlassian.net/browse/SVLS-6927

@lym953 lym953 requested a review from a team as a code owner June 3, 2025 19:59
@lym953 lym953 requested a review from TalUsvyatsky June 3, 2025 19:59
lym953
lym953 commented Jun 3, 2025
View reviewed changes
.github/workflows/upgrade.yml
Comment on lines +95 to +96
environment:
name: protected-main-env
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is generated. I modified .projenrc.js so these two lines can be added.

@lym953 lym953 merged commit 2e5a8f1 into main Jun 3, 2025
8 checks passed
@lym953 lym953 deleted the yiming.luo/protected-env-upgrade branch June 3, 2025 20:07
@lym953
Copy link
Contributor Author

lym953 commented Jun 3, 2025

Nice! I triggered the workflow and it created #439.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avangelillo avangelillo avangelillo approved these changes

@TalUsvyatsky TalUsvyatsky Awaiting requested review from TalUsvyatsky TalUsvyatsky is a code owner automatically assigned from DataDog/serverless-onboarding-enablement

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lym953 @avangelillo