Skip to content

chore: [DevOps] Add release environment#918

Merged
CharlesDuboisSAP merged 4 commits into
mainfrom
env-secrets
Jul 2, 2026
Merged

chore: [DevOps] Add release environment#918
CharlesDuboisSAP merged 4 commits into
mainfrom
env-secrets

Conversation

@Jonas-Isr

@Jonas-Isr Jonas-Isr commented Jun 25, 2026

Copy link
Copy Markdown
Member

Context

https://github.com/SAP/ai-sdk-java-backlog/issues/399

This is a left-over of the security hardening topic. The idea is to hide release-critical secrets in a specified environment. Then, any workflow that uses these secrets has to fulfil certain requirements. This is to make sure that no workflow that e.g. runs from a branch can simply use our critical secrets.

I set up an environment release in this repo (see link above) and added the secrets CENTRAL_SONATYPE_SETTINGS_XML, PGP_PASSPHRASE, and PGP_PRIVATE_KEY. I added the protection rule that any workflow that runs and wants to use these secrets needs to be manually approved by a member of our team.

If we want this feature, we afterwards would need to delete the above three secrets from the list of repository secrets.

How it looks

Link to successful dummy run.

Screenshot 2026-06-25 at 10 45 46 Screenshot 2026-06-25 at 10 46 17 Screenshot 2026-06-25 at 10 47 02

Feature scope:

  • create environment
  • use environment in the workflow

Definition of Done

  • Functionality scope stated & covered
  • Tests cover the scope above
  • Error handling created / updated & covered by the tests above
  • Aligned changes with the JavaScript SDK
  • Documentation updated
  • Release notes updated

@Jonas-Isr Jonas-Isr self-assigned this Jun 25, 2026
@Jonas-Isr Jonas-Isr added the please-review Request to review a pull-request label Jun 25, 2026

@CharlesDuboisSAP CharlesDuboisSAP left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have access to environments

@Jonas-Isr

Copy link
Copy Markdown
Member Author

I don't have access to environments

See my answer in Slack.

@CharlesDuboisSAP CharlesDuboisSAP left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is everything commented?

@Jonas-Isr

Jonas-Isr commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

Why is everything commented?

To be able to make the script run without actually doing any releasing for testing. I left it in so you can ru the workflow from the branch and see for yourself how the approval process looks.

@CharlesDuboisSAP

Copy link
Copy Markdown
Contributor

To be able to make the script run without actually doing any releasing for testing. I left it in so you can ru the workflow from the branch and see for yourself how the approval process looks.

Yeah then please uncomment if you want to merge it to main

@CharlesDuboisSAP CharlesDuboisSAP left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could add a link to the admin dashboard on the Release PR in the step Run the perform release workflow

@CharlesDuboisSAP CharlesDuboisSAP merged commit 3a35a54 into main Jul 2, 2026
6 checks passed
@CharlesDuboisSAP CharlesDuboisSAP deleted the env-secrets branch July 2, 2026 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

please-review Request to review a pull-request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants