Key Rotation - grommet/grommet GitHub Wiki

Grommet is using CircleCi to store secrets. We should rotate our secrets every 6 months to a year.

Currently we have a CHROMATIC_PROJECT_TOKEN, GH_TOKEN, and an NPM_TOKEN stored as project level environment variables. We also have an SSH deploy key that connects to the Grommet GitHub repository. This guide will walk you through the steps for updating these keys.

• Open the Chromatic app and go to project -> manage -> configure -> reset token
• Once you reset the token copy this value into grommet’s package.json chromatic script

Having the token value directly in our package.json isn’t ideal. The reason we did this is because we need chromatic to be able to run from forked PR’s. If we use the Chromatic token stored in CircleCi’s environment variables we wouldn’t have access to run Chromatic from forks. We have the options to allow access to environment variables from forks but it would make all of our environment variables accessible from forks. Only the Chromatic key should be accessible from forks.

In the future it may be worth looking into creating a context to store our NPM and GitHub tokens. We could restrict this context to our team and leave the Chromatic token in the environment variable section of CircleCi and make environment variables accessible from forks. Related link: https://circleci.com/blog/protect-secrets-with-restricted-contexts/

• From the command line list your tokens npm token list
• Delete old tokens with npm token delete <token-id>
• Create a new token from NPM’s site. Follow the instructions here: https://docs.npmjs.com/creating-and-viewing-access-tokens

We created a legacy token with publish permissions. Next time we rotate his token it may be worth looking into using the new token style.

• On Github login to the ‘grommetux’ account. Navigate to settings -> developer settings -> tokens
• Delete the CircleCi release token
• Create a new token named ‘CircleCi release’
• Set the token to expire in a year
• The token should have the ‘repo’ and ‘workflow’ scopes
• Copy the token value
• Go to the CircleCi application
• Navigate to environment variables under the grommet project
• Delete the GH_TOKEN
• Create a new token with name GH_TOKEN and copy the token value over

Initially after reseting the key builds were failing on CircleCi. Then after a few days the release step starting working again. If you look at the CircleCi release step, under the global config section the user name is being set to “Grommet Community Bot”. This is a separate account than the grommet account we updated the key on. Next time we rotate keys it may be worth looking into this step a little more to understand why it took multiple days before the key started working and why a different account name is being used.

• Go to the grommet repo -> settings -> deploy keys
• Delete the deploy key
• On CircleCi go to SSH keys for grommet
• Delete the SSH key and then generate a new one on CircleCi
• The new key should automatically show up in the SSH keys in the grommet repo on GitHub

If needed a key can be generated from the command line. Access should be read-only and the passphrase should be empty. Instructions here:

• https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
• https://circleci.com/docs/add-ssh-key/#steps