tighten CI secret scope and move AWS config to environment vars

maennchen · maennchen · commit 3b1be53a5341 · 2025-07-05T11:42:45.000+02:00
* Add `environment: release` to the "publish-to-hex" job so that only
  workflows explicitly targeting the release environment can read
  sensitive values.
* Gate the job behind `if: ${{ vars.HEX_AWS_REGION }}` to avoid noisy
  failures in forks where the variable is not configured.
* Replace `${{ secrets.HEX_AWS_REGION }}` / `${{ secrets.HEX_AWS_S3_BUCKET }}`
  references with `${{ vars.* }}`.  These are not credentials, so
  environment-level *variables* are a better fit and keep them readable
  only by jobs that declare the environment.
* Remove Fastly secrets from the job-wide `env:` block and inject them
  only into the Fastly purge step, following the principle of least
  privilege.  Other steps no longer see these tokens.

Restricting secret visibility to an environment and to the exact step
that needs them reduces the blast radius of a compromised workflow run,
blocks accidental exposure in logs of unrelated steps, and stops forks
from obtaining privileged data.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -303,14 +303,14 @@ jobs:
     needs: [build, sign]
     runs-on: ubuntu-22.04
     concurrency: builds-hex-pm
+    environment: release
+    # Only run if HEX_AWS_REGION is set (no failing job in forks)
+    if: "${{ vars.HEX_AWS_REGION }}"
     env:
       AWS_ACCESS_KEY_ID: ${{ secrets.HEX_AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.HEX_AWS_SECRET_ACCESS_KEY }}
-      AWS_REGION: ${{ secrets.HEX_AWS_REGION }}
-      AWS_S3_BUCKET: ${{ secrets.HEX_AWS_S3_BUCKET }}
-      FASTLY_REPO_SERVICE_ID: ${{ secrets.HEX_FASTLY_REPO_SERVICE_ID }}
-      FASTLY_BUILDS_SERVICE_ID: ${{ secrets.HEX_FASTLY_BUILDS_SERVICE_ID }}
-      FASTLY_KEY: ${{ secrets.HEX_FASTLY_KEY }}
+      AWS_REGION: ${{ vars.HEX_AWS_REGION }}
+      AWS_S3_BUCKET: ${{ vars.HEX_AWS_S3_BUCKET }}
       OTP_GENERIC_VERSION: "25"
     steps:
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -417,3 +417,7 @@ jobs:
           for key in $(cat purge_keys.txt); do
             purge "${key}"
           done
+        env:
+          FASTLY_REPO_SERVICE_ID: ${{ secrets.HEX_FASTLY_REPO_SERVICE_ID }}
+          FASTLY_BUILDS_SERVICE_ID: ${{ secrets.HEX_FASTLY_BUILDS_SERVICE_ID }}
+          FASTLY_KEY: ${{ secrets.HEX_FASTLY_KEY }}
