Management of organization-wide GitHub secrets

[AndrewSazonov]

Organization-wide secrets and variables used for GitHub Actions:
https://github.com/organizations/easyscience/settings/secrets/actions

All secrets and variables should be listed here together with:

• the environment variable name,
• its visibility (available to all repositories or only selected ones),
• its current status (active, unused, unclear),
• a short description of what the secret is used for.

Adding a new organization-wide secret or variable should only be done after discussion and by updating this ADR. This will help us maintain a clear and up-to-date overview of all secrets over time.

When we have a group of related secrets, we should document the purpose of the group as a whole, together with a short explanation of each individual secret.

Secrets and Variables

Name	Type	Visibility	Status	Description
CODECOV_TOKEN	Secret	All repos	Active	Token used to upload coverage reports to Codecov
EASYSCIENCE_APP_KEY	Secret	All repos	Active	Private key for the EasyScience GitHub App
EASYSCIENCE_APP_ID	Variable	All repos	Active	ID of the EasyScience GitHub App
CODESIGN_WIN_KEYLOCKER_API_KEY	Secret	All repos	Active	API key used for authentication with DigiCert KeyLocker
CODESIGN_WIN_KEYLOCKER_HOST	Secret	All repos	Active	Hostname of the DigiCert KeyLocker service endpoint
CODESIGN_WIN_CERT_P12_BASE64	Secret	All repos	Active	Base64-encoded PKCS#12 (.p12) Windows code-signing certificate
CODESIGN_WIN_CERT_P12_PASSWORD	Secret	All repos	Active	Password to decrypt the PKCS#12 (.p12) Windows code-signing certificate

Groups

• EASYSCIENCE_APP
  EasyScience GitHub App credentials used for CI automation.

• CODESIGN_WIN
  Credentials and certificates required for Windows application code signing.

---

Links to the related discussions: #53