[User Story] Create runbook for rotating CI/CD tokens and secrets #70
+671
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Create comprehensive token rotation runbook documenting all CI/CD tokens and secrets with rotation procedures - Refactor PR workflow to use BWS_ACCESS_TOKEN_DEV for repository-level secret (matches ADMIN_IP_DEV naming pattern) - Environment-scoped BWS_ACCESS_TOKEN remains for deploy workflows
noahwhite
force-pushed
the
feature/gho-42-user-story-create-runbook-for-rotating-cicd-tokens-and
branch
from
a7a9c59 to
f3e0f1a
Compare
- Add `environment: dev` to PR workflow job - Use environment-scoped BWS_ACCESS_TOKEN (no _DEV suffix needed) - Update runbook to reflect simplified secret scoping
Remove _DEV suffix pattern - now that PR workflow uses environment: dev, it can access environment-scoped secrets directly. Repository-level copies (ADMIN_IP_DEV, CLOUDFLARE_ZONE_ID_DEV) can be deleted.
- Add rule to never add "Generated with Claude Code" to PRs/commits - Update secrets management section to reflect environment-scoped pattern - Reference token-rotation-runbook.md for complete token inventory
noahwhite
force-pushed
the
feature/gho-42-user-story-create-runbook-for-rotating-cicd-tokens-and
branch
from
f3e0f1a to
03b31cd
Compare
- Update pr-tofu-plan-develop.yml to use environment: dev-ci - Update CLAUDE.md to document dev vs dev-ci environments - Update token rotation runbook to reflect two-environment setup
- Update access token rotation: use Cloud access policies, correct naming - Update service account token rotation: correct service account name - Set expiration to 30 days for both tokens - Add Bitwarden secret names and notes update instructions
- Add curl verification commands before saving tokens - Document common issue: tokens ending with == may be truncated - Add guidance on token format and length
- Add token format patterns (glc_* for cloud, glsa_* for service account) - Recommend using copy button in Grafana UI to avoid truncation - Clarify that verification should always happen before saving
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
docs/token-rotation-runbook.md) documenting all CI/CD tokens and secretsenvironment: devto PR workflow so it can access environment-scoped secretsChanges
New Documentation
docs/token-rotation-runbook.md- Complete runbook covering:Workflow Update
environment: devto PR workflow jobBWS_ACCESS_TOKEN(wasBWS_ACCESS_TOKENat repo level)ADMIN_IP(wasADMIN_IP_DEV)CLOUDFLARE_ZONE_ID(wasCLOUDFLARE_ZONE_ID_DEV)Cleanup After Merge
The following repository-level secrets can be deleted (environment-scoped versions are now used):
BWS_ACCESS_TOKEN(repository-level copy)ADMIN_IP_DEVCLOUDFLARE_ZONE_ID_DEVTest plan
Closes GHO-42