Skip to content

Copilot/automated key management system #2670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
al7566 wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Copilot/automated key management system #2670

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e012c1f
Initial plan
Copilot Jan 3, 2026
c5ba396
Add automated key management system core implementation
Copilot Jan 3, 2026
104a686
Add tests and quick start guide for key management system
Copilot Jan 3, 2026
9fb214e
Add implementation summary for key management system
Copilot Jan 3, 2026
e822d5a
Fix code review issues: encapsulation, module detection, and endpoint…
Copilot Jan 3, 2026
a25a220
Add CI/CD integration guide for key management system
Copilot Jan 3, 2026
a4d7c8f
Add documentation index and final polish to key management system
Copilot Jan 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 109 additions & 0 deletions .github/workflows/key-manager.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
name: Key Management

on:
workflow_call:
inputs:
command:
description: 'Key management command to run (scan, check, inject)'
required: false
type: string
default: 'scan'
dry_run:
description: 'Run in dry-run mode (no actual changes)'
required: false
type: boolean
default: true
secrets:
KEYFINDER_SECRET:
description: 'Secret for authenticating with external key sources'
required: false
workflow_dispatch:
inputs:
command:
description: 'Key management command to run'
required: false
type: choice
default: 'scan'
options:
- scan
- check
- inject
dry_run:
description: 'Run in dry-run mode (no actual changes)'
required: false
type: boolean
default: true

permissions:
contents: read
secrets: write

jobs:
key-management:
name: Manage API Keys
runs-on: blacksmith-2vcpu-ubuntu-2404

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3

- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: latest

- name: Install dependencies for key manager
working-directory: scripts
run: bun install

- name: Run Key Manager - Scan Phase
id: scan
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
KEYFINDER_SECRET: ${{ secrets.KEYFINDER_SECRET }}
DRY_RUN: ${{ inputs.dry_run }}
run: |
echo "🔍 Running key management: ${{ inputs.command }}"
echo "Repository: $GITHUB_REPOSITORY"
echo "Dry run: $DRY_RUN"

# Run the key manager script
cd scripts
bunx tsx key-manager.ts ${{ inputs.command }}

- name: Generate Summary
if: always()
run: |
echo "### 🔐 Key Management Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Command:** \`${{ inputs.command }}\`" >> $GITHUB_STEP_SUMMARY
echo "**Dry Run:** ${{ inputs.dry_run }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Security Features" >> $GITHUB_STEP_SUMMARY
echo "- ✅ GitHub Secrets masking enabled" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Sensitive data cleared from memory after processing" >> $GITHUB_STEP_SUMMARY
echo "- ✅ No key values logged to output" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Keys only accessible to authorized users and workflows" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Next Steps" >> $GITHUB_STEP_SUMMARY
echo "1. Review the key manager output above" >> $GITHUB_STEP_SUMMARY
echo "2. Verify all required keys are available" >> $GITHUB_STEP_SUMMARY
echo "3. Keys are ready for deployment workflows" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "> **Note:** This workflow uses the 'find, store, inject, forget' pattern" >> $GITHUB_STEP_SUMMARY
echo "> for secure key management. Key values are never exposed in logs." >> $GITHUB_STEP_SUMMARY

- name: Clear Sensitive Data
if: always()
run: |
echo "🧹 Clearing sensitive data from workflow environment..."
# Unset any environment variables that might contain keys
unset KEYFINDER_SECRET
unset GITHUB_TOKEN
echo "✅ Environment cleaned"
10 changes: 10 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,16 @@ If ports 3000, 3002, or 5432 are in use, configure alternatives:
NEXT_PUBLIC_APP_URL=http://localhost:3100 POSTGRES_PORT=5433 docker compose up -d
```

## Key Management

Sim includes an automated key management system for securely handling API keys and secrets. See [Key Management Documentation](docs/KEY_MANAGEMENT.md) for details.

Key features:
- 🔍 Automatic discovery of required environment variables
- 🔐 Secure storage in GitHub repository secrets
- 💉 Smart injection into configuration files
- 🧹 Automatic memory clearing after processing

## Tech Stack

- **Framework**: [Next.js](https://nextjs.org/) (App Router)
Expand Down
Loading