Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

♻️ Refactor GitHub Actions to Store ECR Registry URL as a Secret #119

Merged
merged 2 commits into from
Oct 7, 2024

Conversation

jasonBirchall
Copy link
Member

@jasonBirchall jasonBirchall commented Oct 3, 2024

👀 Purpose

♻️ What's changed

  • The ECR registry URL is now stored as a GitHub secret (ECR_REGISTRY_URL) instead of being dynamically retrieved and exposed in workflow logs. This change ensures that sensitive AWS account information, including the registry URL, is not visible in plaintext during workflow execution.

  • GitHub automatically masks secrets in logs, mitigating the risk of inadvertently exposing sensitive information.

📝 Notes

  • The workflow configuration is now cleaner and easier to maintain, as sensitive information is handled through GitHub's secret management.

  • Developers no longer need to retrieve the registry dynamically within each step. The secret is pre-defined and can be referenced easily, leading to more concise and readable workflows.

Rationale:

  • By moving the ECR registry URL to a secret, we follow the principle of least privilege and limit the exposure of sensitive information.

  • It simplifies onboarding for new projects or teams, as the registry information is centrally managed and can be easily updated without modifying the workflow logic itself.

  • This change enhances the overall security posture of our CI/CD workflows and aligns with industry best practices.

jasonBirchall and others added 2 commits October 3, 2024 17:12
- Moved the dynamically gathered ECR registry URL to a GitHub secret.
- Prevents AWS account details from being exposed in the GitHub Actions logs.
- Improves security by masking the ECR registry URL during workflow runtime.
- Simplifies workflow configuration by using secrets for sensitive information.
- Aligns with best practices for handling sensitive data in CI/CD pipelines.
@jasonBirchall jasonBirchall merged commit ad7eaaf into main Oct 7, 2024
2 checks passed
@jasonBirchall jasonBirchall deleted the jasonBirchall-patch-1 branch October 7, 2024 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants