https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
b
forking a github repo doesn’t fork the secrets into that repo
e
b
I don’t set any values inside the pulumi project, I use OIDC for passing credentials: https://github.com/jaxxstorm/lbrlabs/blob/main/delivery/index.ts
m
My cloud provider does not have OIDC.
Forking does not share secrets, but someone forks, adds a new github workflow that uses my secret, they can do whatever they want to the infrastructure once they open a PR on my repo.
b
m
So I would need a second private repository. Given I’m writing golang, I could just write packages and then import them..
Thank you gentlemen, this made my suspicion correct, I can’t get away with just a public repo
b
…I’m not sure how you came to that conclusion, it’s definitely possible.
m
I can't secure the secrets of my cloud provider in a public github repository..
You use command-dispatch for issues, right? Not sure what commands you're running.
b
I can’t secure the secrets of my cloud provider in a public github repository..
If you require approvals to run CI on any pull request, it’ll completely eliminate this problem
there are many ways to do this, command dispatch is just one of them
you can do it with the environments feature, for example: https://cloudlumberjack.com/posts/github-actions-approvals/
m
Ah approvals! True! Haven't thought of that. Thank you, that solves my issue 🙂
Yupp, this is what I needed!
m
I use a combination of secret config variables and environment variables that I store in an s3 bucket in aws. That makes me much more confident in my open source project using Pulumi
Open in Slack
PreviousNext
Powered by