Skip to main content

ADR-012 Repository Secrets

Date: 10-12-2024

Status

✅ Accepted

Context

We use the opg-org-infra repository to store organisation level configuration for our estate. This includes the configuration of all GitHub repositories we use to store code and the access to those repositories. Individual component repositories sometimes need access to secrets for their GitHub Actions build process.

Decision

Where secrets are needed for a build process and an alternative like an OIDC role is not available, then the secrets will be managed and pushed to the repository via the opg-org-infra build for that repository. No secrets will be manually added to any GitHub repository in the opg estate.

Consequences

  • We have a single location to track build secrets and their propogation.
  • We can easily triggger replacement and rotation of any secrets.
  • Manual intervention is reduced
This page was last reviewed on 10 December 2024. It needs to be reviewed again on 10 June 2026 by the page owner #opg-webops-community .
This page was set to be reviewed before 10 June 2026 by the page owner #opg-webops-community. This might mean the content is out of date.