Skip to content

chore(internal): add secrets backup workflow for Infisical migration#12474

Closed
davidkonigsberg wants to merge 1 commit intomainfrom
devin/1771337429-backup-secrets
Closed

chore(internal): add secrets backup workflow for Infisical migration#12474
davidkonigsberg wants to merge 1 commit intomainfrom
devin/1771337429-backup-secrets

Conversation

@davidkonigsberg
Copy link
Copy Markdown
Contributor

@davidkonigsberg davidkonigsberg commented Feb 17, 2026
edited by devin-ai-integration Bot
Loading

Description

Refs: Companion to fern-platform#6953 and engineering-docs#33

Adds backup jobs to the existing infisical-testing.yml workflow to safely export all GitHub Actions secrets (repo-level and per-environment) to encrypted files in S3, in preparation for migrating to Infisical for centralized secrets management.

Changes Made

  • Modified .github/workflows/infisical-testing.yml — added 3 parallel backup jobs after the existing admin gate:
Job Scope S3 Key Pattern Secret Count
backup-repo-secrets Repo-level secrets fern/repo-secrets-<ts>.json.enc 18
backup-fern-dev Fern Dev environment secrets fern/fern-dev-secrets-<ts>.json.enc 3
backup-fern-prod Fern Prod environment secrets fern/fern-prod-secrets-<ts>.json.enc 2
  • Removed the #THIS WORKFLOW IS ONLY TO BE USED FOR TESTING comment

Key details:

  • workflow_dispatch only — must be triggered manually
  • check-admin job gates all backup jobs (only repo admins can proceed)
  • Uses OIDC role assumption (github-ci role) for AWS — no static keys
  • Collects secrets via _BK_-prefixed env vars, serializes to JSON with Python
  • Encrypts each JSON file with AES-256-CBC using a BACKUP_ENCRYPTION_KEY secret
  • Uploads encrypted files to s3://fern-backups/github-secrets/fern/ with SSE-AES256 (repo name in path separates these from fern-platform exports)
  • Always cleans up plaintext files on each runner

To decrypt: openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -in <file>.json.enc -out secrets.json -pass pass:"<BACKUP_ENCRYPTION_KEY>"

Updates since last revision

  • Moved backup jobs into existing infisical-testing.yml instead of a standalone backup-secrets.yml (per reviewer feedback)
  • Added fern/ to S3 key prefix so backups are separated by repo (s3://fern-backups/github-secrets/fern/ vs s3://fern-backups/github-secrets/fern-platform/)

Testing

  • Cannot be fully tested until merged and run via workflow_dispatch
  • Workflow structure mirrors the tested pattern from fern-platform#6953

Prerequisites before first run:

  1. Create a BACKUP_ENCRYPTION_KEY repo secret in GitHub (strong passphrase for AES-256 encryption)
  2. Confirm the github-ci IAM role has s3:PutObject permission on the fern-backups bucket

Human Review Checklist

  • Repo-level secrets (18 entries): Cross-check the _BK_* env var names in backup-repo-secrets against the actual secrets configured in GitHub repo settings. Any secrets that exist in GitHub but are missing here will not be backed up (they'll silently be empty strings).
  • Fern Dev environment secrets (3 entries): Verify FERN_ORG_TOKEN_DEV, AUTH0_DOMAIN, AUTH0_CLIENT_ID are the only environment-scoped overrides in Fern Dev. These were inferred from environment: Fern Dev blocks in ci.yml — there may be additional secrets configured in GitHub that aren't referenced in any workflow.
  • Fern Prod environment secrets (2 entries): Verify AUTH0_DOMAIN, AUTH0_CLIENT_ID are the only environment-scoped overrides in Fern Prod. These were inferred from environment: Fern Prod in publish-cli.yml.
  • IAM permissions: Confirm the github-ci IAM role has s3:PutObject permission on the fern-backups bucket (likely already configured from fern-platform).
  • BACKUP_ENCRYPTION_KEY: Confirm creating a new BACKUP_ENCRYPTION_KEY repo secret is acceptable.

Link to Devin run | Requested by @davidkonigsberg

Open with Devin

@devin-ai-integration @davidkonigsberg
chore(internal): add secrets backup workflow for Infisical migration
1479867 
Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>
@devin-ai-integration
Copy link
Copy Markdown
Contributor

devin-ai-integration Bot commented Feb 17, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 17, 2026

🌱 Seed Test Selector

Select languages to run seed tests for:

  • Python
  • TypeScript
  • Java
  • Go
  • Ruby
  • C#
  • PHP
  • Swift
  • Rust
  • OpenAPI
  • Postman

How to use: Click the ⋯ menu above → "Edit" → check the boxes you want → click "Update comment". Tests will run automatically and snapshots will be committed to this PR.

devin-ai-integration[bot]
devin-ai-integration Bot reviewed Feb 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

Assignees

@davidkonigsberg davidkonigsberg

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davidkonigsberg