Skip to content

Use intermediate env vars for Pulumi passphrases #595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 1, 2025
Merged

Use intermediate env vars for Pulumi passphrases #595

merged 1 commit into from
Oct 1, 2025

Conversation

@domdomegg
Copy link
Member

Addresses the security concern where secrets were directly interpolated in GitHub Actions run commands across multiple workflows.

Following GitHub's security best practices, secrets are now passed through intermediate environment variables (matching the secret names: PULUMI_STAGING_PASSPHRASE and PULUMI_PROD_PASSPHRASE) before being written to files.

Changes

deploy.yml:

  • Fixed staging deployment (line 92)
  • Fixed production deployment (line 131)

cancel-pulumi-lock.yml:

  • Fixed staging lock cancellation (line 62)
  • Fixed production lock cancellation (line 70)

Benefits

This approach:

  • Fixes the security issue with direct secret interpolation in 4 locations
  • Maintains compatibility with existing local development workflows
  • Keeps the Makefile unchanged
  • Uses environment variable names that match the secret names for clarity

The key improvement is that ${{ secrets.X }} is no longer expanded directly in the run commands, reducing the risk of accidental disclosure if GitHub's masking fails or is bypassed.

@domdomegg
Use intermediate env vars for Pulumi passphrases
4fcef43 
Addresses security concern where secrets were directly interpolated in
run commands. Following GitHub's security best practices, secrets are
now passed through intermediate environment variables before being
written to files.

Changes:
- deploy.yml: Fixed both staging and production deployments
- cancel-pulumi-lock.yml: Fixed both staging and production lock cancellation

This maintains compatibility with the existing Makefile workflow while
reducing the risk of accidental secret disclosure.
@domdomegg
Copy link
Member Author

To be clear: this is not a vulnerability, just improving to match security best practice and increase defence-in-depth :)

@domdomegg domdomegg enabled auto-merge (squash) October 1, 2025 00:25
@domdomegg domdomegg merged commit 6516f75 into main Oct 1, 2025
5 checks passed
@domdomegg domdomegg deleted the adamj/secure-passphrase-handling branch October 1, 2025 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@domdomegg @rdimitrov