Consider use of GitHub secrets

[rarkins]

I think it's good to document any decision whether to use GitHub's secrets API or not.

• Apps can request access to secrets
• This could be an alternative or replacement to our own planned Support explicit secrets #6662

[rarkins]

I don't think it's right for us currently. Reasoning:

• Access to secrets means access to all secrets in a repo. e.g. could include deployment tokens etc. There is no way for an app to only get access to some secrets or only its own secrets somehow.
• Permissions for GitHub Apps are not optional like for iOS apps. i.e. we can't say to users "grant us access to secrets if you want to use them but decline if you don't want". If they can't grant us access to all secrets then they can't install the app.

[viceice]

Haha, had that idea too and thrown away because the issues you mentioned. 😅

[rarkins]

Closed! Left here in case anyone searches for it in future. We can reconsider if there's a day when GitHub supports (a) optional permissions and/or (b) scoped secrets (e.g. to an app)