Summary

By default, Secrets are only exposed to GitHub Actions workflow that run in the base repo. We could do better and only expose certain secrets - release role ARNs, etc. - to specific workflows only.

More info: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets

Why is this needed?

Increases security posture and minimize blast radius by limiting secrets to specific workflows on a need-to-have basis.

Which area does this relate to?

Automation, Governance

Solution

No response

Acknowledgment

• This request meets Lambda Powertools Tenets
• Should this be considered in other Lambda Powertools languages? i.e. Java, TypeScript