Maintenance: Encrypt GitHub Actions secrets with environments feature

[heitorlessa]

Summary

By default, Secrets are only exposed to GitHub Actions workflow that run in the base repo. We could do better and only expose certain secrets - release role ARNs, etc. - to specific workflows only.

More info: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets

Why is this needed?

Increases security posture and minimize blast radius by limiting secrets to specific workflows on a need-to-have basis.

Which area does this relate to?

Automation, Governance

Solution

No response

Acknowledgment

• This request meets Lambda Powertools Tenets
• Should this be considered in other Lambda Powertools languages? i.e. Java, TypeScript

[heitorlessa]

related: #1353

[heitorlessa]

Forgot to share that this requires Secrets to be recreated as Environment Secrets.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

[github-actions]

This is now released under 1.26.6 version!