Practical Implementation Tips for Secrets

  • Name secrets according to what they’re for, not who they’re for
    • eg: dockerhub_username rather than tokenFor_$projectName_$VCS
  • Name secrets in a way that their names can be programatically looked up
    • eg: AWS_SECRET_ACCESS_KEY: "${{ secrets[format('AWS_SECRET_ACCESS_KEY_{0}', env.CACHES_AWS_ACCESS_KEY_ID)] }}" This is a really good name for a few subtle reasons. Detailed in the rust github repo.
      # AWS_SECRET_ACCESS_KEYs are stored in GitHub's secrets storage, named
      # AWS_SECRET_ACCESS_KEY_[[[keyid]]]. Including the key id in the name allows to
      # rotate them in a single branch while keeping the old key in another
      # branch, which wouldn't be possible if the key was named with the kind
      # (caches, artifacts...).
      CACHES_AWS_ACCESS_KEY_ID: the_cache_id
      ARTIFACTS_AWS_ACCESS_KEY_ID: the_artifact_id