Skip to content

CI: Change secret to dummy #2103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mnasiadka merged 1 commit into from
Jan 23, 2026
Merged

CI: Change secret to dummy #2103

mnasiadka merged 1 commit into from
Jan 23, 2026

Conversation

@mnasiadka
Copy link
Member

@mnasiadka mnasiadka commented Jan 23, 2026

No description provided.

@mnasiadka mnasiadka requested a review from a team as a code owner January 23, 2026 12:57
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request replaces an encrypted vault password with a dummy plaintext value for the CI environment. This is a good practice to avoid managing real secrets in CI. However, I've suggested using a more complex string for the dummy password to mitigate potential risks if CI resources are accidentally exposed.

zuul.d/secrets.yaml
bP5dzV3wpwHepeZDMPpUIhFXrp/6VVefQU5HwjJzaCiUooCAVCCV8cBsXqvNAhvNO1y41
cUVxFBYyCJ4JGIw1qMBPOSUnhY148xPTm9+4pD6HbR1K9NCbU7GoahFDz2jtRYjFRM401
YuwR7K8GRILFJ4zEbtlmwj4gMUEZSo0HE0BZPUWSZpmFs1wX5LAKenMJs0Ctpg=
vault_pw: "none"
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

Using a common string like 'none' as a dummy password can be a security risk, even in a CI environment. If any resources created during the CI run are inadvertently exposed, they would be protected by a very weak and guessable password. It is a better practice to use a more complex, non-guessable string to mitigate this risk, even if it's not treated as a true secret.

      vault_pw: "dummy-ci-password-not-a-secret"

@mnasiadka mnasiadka merged commit c192e2d into stackhpc/2025.1 Jan 23, 2026
20 of 21 checks passed
@mnasiadka mnasiadka deleted the zero_zuul_secrets branch January 23, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mnasiadka