Skip to content

Commit caad9bc

Browse files
al7566al7566
authored
Merge pull request #1 from al7566/copilot/automated-key-management-system
Automated key management system with "find, store, inject, forget" workflow
2 parents e22a28e + a4d7c8f commit caad9bc

13 files changed

+2459
-2
lines changed

.github/workflows/key-manager.yml

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
name: Key Management
2+
3+
on:
4+
workflow_call:
5+
inputs:
6+
command:
7+
description: 'Key management command to run (scan, check, inject)'
8+
required: false
9+
type: string
10+
default: 'scan'
11+
dry_run:
12+
description: 'Run in dry-run mode (no actual changes)'
13+
required: false
14+
type: boolean
15+
default: true
16+
secrets:
17+
KEYFINDER_SECRET:
18+
description: 'Secret for authenticating with external key sources'
19+
required: false
20+
workflow_dispatch:
21+
inputs:
22+
command:
23+
description: 'Key management command to run'
24+
required: false
25+
type: choice
26+
default: 'scan'
27+
options:
28+
- scan
29+
- check
30+
- inject
31+
dry_run:
32+
description: 'Run in dry-run mode (no actual changes)'
33+
required: false
34+
type: boolean
35+
default: true
36+
37+
permissions:
38+
contents: read
39+
secrets: write
40+
41+
jobs:
42+
key-management:
43+
name: Manage API Keys
44+
runs-on: blacksmith-2vcpu-ubuntu-2404
45+
46+
steps:
47+
- name: Checkout code
48+
uses: actions/checkout@v4
49+
50+
- name: Setup Bun
51+
uses: oven-sh/setup-bun@v2
52+
with:
53+
bun-version: 1.3.3
54+
55+
- name: Setup Node
56+
uses: actions/setup-node@v4
57+
with:
58+
node-version: latest
59+
60+
- name: Install dependencies for key manager
61+
working-directory: scripts
62+
run: bun install
63+
64+
- name: Run Key Manager - Scan Phase
65+
id: scan
66+
env:
67+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
68+
GITHUB_REPOSITORY: ${{ github.repository }}
69+
KEYFINDER_SECRET: ${{ secrets.KEYFINDER_SECRET }}
70+
DRY_RUN: ${{ inputs.dry_run }}
71+
run: |
72+
echo "🔍 Running key management: ${{ inputs.command }}"
73+
echo "Repository: $GITHUB_REPOSITORY"
74+
echo "Dry run: $DRY_RUN"
75+
76+
# Run the key manager script
77+
cd scripts
78+
bunx tsx key-manager.ts ${{ inputs.command }}
79+
80+
- name: Generate Summary
81+
if: always()
82+
run: |
83+
echo "### 🔐 Key Management Summary" >> $GITHUB_STEP_SUMMARY
84+
echo "" >> $GITHUB_STEP_SUMMARY
85+
echo "**Command:** \`${{ inputs.command }}\`" >> $GITHUB_STEP_SUMMARY
86+
echo "**Dry Run:** ${{ inputs.dry_run }}" >> $GITHUB_STEP_SUMMARY
87+
echo "" >> $GITHUB_STEP_SUMMARY
88+
echo "#### Security Features" >> $GITHUB_STEP_SUMMARY
89+
echo "- ✅ GitHub Secrets masking enabled" >> $GITHUB_STEP_SUMMARY
90+
echo "- ✅ Sensitive data cleared from memory after processing" >> $GITHUB_STEP_SUMMARY
91+
echo "- ✅ No key values logged to output" >> $GITHUB_STEP_SUMMARY
92+
echo "- ✅ Keys only accessible to authorized users and workflows" >> $GITHUB_STEP_SUMMARY
93+
echo "" >> $GITHUB_STEP_SUMMARY
94+
echo "#### Next Steps" >> $GITHUB_STEP_SUMMARY
95+
echo "1. Review the key manager output above" >> $GITHUB_STEP_SUMMARY
96+
echo "2. Verify all required keys are available" >> $GITHUB_STEP_SUMMARY
97+
echo "3. Keys are ready for deployment workflows" >> $GITHUB_STEP_SUMMARY
98+
echo "" >> $GITHUB_STEP_SUMMARY
99+
echo "> **Note:** This workflow uses the 'find, store, inject, forget' pattern" >> $GITHUB_STEP_SUMMARY
100+
echo "> for secure key management. Key values are never exposed in logs." >> $GITHUB_STEP_SUMMARY
101+
102+
- name: Clear Sensitive Data
103+
if: always()
104+
run: |
105+
echo "🧹 Clearing sensitive data from workflow environment..."
106+
# Unset any environment variables that might contain keys
107+
unset KEYFINDER_SECRET
108+
unset GITHUB_TOKEN
109+
echo "✅ Environment cleaned"

README.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -197,6 +197,16 @@ If ports 3000, 3002, or 5432 are in use, configure alternatives:
197197
NEXT_PUBLIC_APP_URL=http://localhost:3100 POSTGRES_PORT=5433 docker compose up -d
198198
```
199199

200+
## Key Management
201+
202+
Sim includes an automated key management system for securely handling API keys and secrets. See [Key Management Documentation](docs/KEY_MANAGEMENT.md) for details.
203+
204+
Key features:
205+
- 🔍 Automatic discovery of required environment variables
206+
- 🔐 Secure storage in GitHub repository secrets
207+
- 💉 Smart injection into configuration files
208+
- 🧹 Automatic memory clearing after processing
209+
200210
## Tech Stack
201211

202212
- **Framework**: [Next.js](https://nextjs.org/) (App Router)

0 commit comments

Comments
 (0)