ADR Suggestion Management of Organization-Wide GitHub Secrets

[AndrewSazonov]

Currently, we have 16 organization-wide secrets configured for GitHub Actions in the EasyScience organization:
https://github.com/organizations/easyscience/settings/secrets/actions

Many of these secrets are either no longer used, duplicated, or possibly not needed anymore. Over time, this makes it harder to understand:

• which secrets are actually required,
• what each secret is used for,
• and whether it is safe to remove or replace them.

Suggestion

I suggest documenting all organization-wide secrets in a dedicated ADR, including:

• a short description of what the secret is used for,
• its visibility (available to all public repositories or only selected ones),
• its current status (active, unused, unclear).

I also suggest that new organization-wide secrets are added only after discussion and by updating this ADR. This should help us keep a clear and up-to-date overview of all secrets over time.

Current overview

As a first step, I created the table below and added two extra columns: Status and Description. I filled in the entries I am confident about.

Please feel free to add comments, corrections, or missing details, so I can update the table accordingly.

Secret name	Status	Description
CODECOV_TOKEN	Active	Token used to upload coverage reports to Codecov.
EASYSCIENCE_APP_KEY	Active	Private key for the EasyScience GitHub App used in CI automation.
ES_PYPI_PASSWORD	Unclear	PyPI password for EasyScience publishing? Suggested to remove, see ADR #52.
ES_PYPI_TOKEN	Unclear	PyPI token for EasyScience publishing? Suggested to remove, see ADR #52.
ES_PYPI_USERNAME	Unclear	PyPI username for EasyScience publishing? Suggested to remove, see ADR #52.
ES_TOKEN	Unclear	Generic EasyScience token? Purpose unclear, needs review.
KEYLOCKER_API_KEY	Unclear	API key for the Keylocker service (Windows code signing)?
KEYLOCKER_CERT_SHA1_HASH	Unclear	SHA1 hash of the certificate used by Keylocker?
KEYLOCKER_HOST	Unclear	Host URL for the Keylocker service?
KEYLOCKER_KEYPAIR_ALIAS	Unclear	Keypair alias used by Keylocker for signing?
PYPI_PASSWORD	Unclear	PyPI password for EasyScience publishing? Suggested to remove, see ADR #52.
PYPI_TESTTOKEN	Unclear	Test PyPI token for EasyScience publishing? Suggested to remove, see ADR #52.
PYPI_TOKEN_ES	Unclear	PyPI token for EasyScience publishing? Suggested to remove, see ADR #52.
PYPI_USERNAME	Unclear	PyPI username for EasyScience publishing? Suggested to remove, see ADR #52.
WINDOWS_CERT_DATA	Unclear	Base64-encoded Windows signing certificate data?
WINDOWS_CERT_PASSWORD	Unclear	Password for the Windows signing certificate?

Open points

• I suggest removing all PyPI-publishing-related secrets after completing the transition described in ADR `ADR Suggestion` Use PyPI Trusted Publishing via GitHub Actions #52.
• If the secrets starting with KEYLOCKER_ are still needed, it would be helpful to add a clearer explanation of what they are used for and which workflows depend on them.
• The same kind of clarification would be useful for the WINDOWS_CERT_ secrets.

More generally, when we have a group of related secrets, I suggest documenting the purpose of the group as a whole, together with a short explanation of each individual secret.

[rozyczko]

Should we modify the description here in this discussion, or do you want to create a separate document?

[AndrewSazonov]

I think it would be better to add your comments or corrections directly in this discussion, so we keep a clear history of changes. You can copy and post only the parts of the table you want to update or adjust. After that, I will prepare an updated version of the full table based on the feedback.

[rozyczko]

KEYLOCKER_API_KEY - API key for Digicert account to use with a service. REQUIRED
KEYLOCKER_HOST - hostname for certificate check. REQUIRED
KEYLOCKER_CERT_SHA1_HASH - no longer necessary. Can be deleted
KEYLOCKER_KEYPAIR_ALIAS - no longer necessary. Can be deleted
WINDOWS_CERT_DATA - base64 encoded .p12 certificate. REQUIRED
WINDOWS_CERT_PASSWORD - password for .p12 certificate decryption. REQUIRED