This design document is written to address the concerns mentioned in Key Rotation & Vault Changes. Implementation pending feedback from engineering team members, specifically SDK team.
- We need to be able to quickly recycle all publishing tokens (NPM, PyPI, Cargo, Docker, etc.) at will without disrupting our releases or our developer flow
- We need to limit the publishing tokens to authorized personnel only and not leak them in any way
- GitHub secrets is not enough as it lets anyone with write access to the repo to access the secrets and scuttle them out, even in a brand new PR. Example: getsentry/sentry#21930
- We need SDK releases to be approved by a manager or senior engineer per our SOC/ISO compliance policy
- We have per-project release/publish configurations that repeat almost the same pattern, causing divergence of code
-
Create a central release/publish repository to store release workflow and publishing tokens
-
Only add the authorized personnel to this repo with write/admin/triage access
-
Add all other engineers with read access to the repo
-
Create a structured issue template to request releases
-
Have a "release" action on each repo, that runs
craft prepare
to get the release branch ready and opens an issue on the release repo for publishing with the following information:- repository name
- version to release
-
The owners of the release repo adds an "accepted" tag to trigger the actual release
-
The release then closes the issue with a success message
-
Special case: OSS CalVer releases are done automatically and get automatically approved unless there is a release blocker.
- Should release repo owners be able to publish releases on their own by directly running the workflow or not?
- Should release repo owners still need to create an issue to trigger a release, even if they mark it as approved themselves? (or should we always require a second person to approve, like a code review)
- How much friction will this cause?
- Should we restrict who can approve what release? How?
- Is exposing all the tokens to all authorized personnel acceptable?
We can directly link to manual workflow triggers in the repos but GitHub does not allow pre-filling input values via the URL: https://github.com/getsentry/sentry/actions/manual?workflow=.github%2Fworkflows%2Frelease.yml so we need to use the issue system to store this information and reduce friction. Issues also create a paper trail for future auditing.