Policy: Turbot > Workspace > GitHub > Secrets
The GitHub webhook secret is set by Guardrails using a secret from GitHub > Secrets, as set by this policy. This ensures that fake secrets cannot be generated or used.
Guardrails sets this policy on installation to complex password unique to your workspace. This is a secure, effective default.
To ensure secrets work, even during rotation, this policy is defined as an array. The first item is the current secret. Other secrets in the array are used for verifying existing webhooks only.
GitHub Secrets are generally either distributed manually, making them difficult to rotate, or managed by Guardrails (e.g. with Stacks) and automatically rotated per the Turbot > Workspace > GitHub Secrets > Rotation policy.
This policy defines a list of objects, including creation, expiration and active information for each secret. For example: [ { "secret": "E!TJ8x4!P15ic=DN", "created": "2020-07-28T21:32:27.537Z", "expiration": "2021-03-31T00:00:00.000Z", "isActive": true } ]
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Related Policies
Policy Specification
Schema Type | |
|---|---|
Default | |
Category
In Your Workspace
Developers
- tmod:@turbot/turbot#/control/categories/turbot
- tmod:@turbot/github#/policy/types/workspaceGithubSecrets
- turbot graphql policy-type --id "tmod:@turbot/github#/policy/types/workspaceGithubSecrets"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/github#/policy/types/workspaceGithubSecrets"
Get Policy TypeGet Policy Settings