Warning

🚧 Work in Progress: This page is currently under construction. Content may be incomplete or subject to change. To contribute, see the contribution guide.

Secrets and Credentials Management

Golden rule

No credentials, passwords, tokens, or API keys may ever be committed to a Git repository — not even in private branches.

Where to store secrets

Context	Recommended solution
GitHub Actions pipelines	GitHub Secrets (`${{ secrets.NAME }}`)
Cloud Run / GCP	GCP Secret Manager
Airflow	Airflow Connections + GCP Secret Manager
Azure Static Web Apps	Application Settings in Azure portal
Local development	`.env` file (listed in `.gitignore`)

Mandatory .gitignore

Every repository must include in .gitignore:

# Secrets and credentials
.env
.env.*
*.key
*.pem
*credentials*.json
service-account*.json

Secret rotation

Production secrets: rotate every 12 months
Entra ID client secrets: rotate before expiration (configure reminder)
Immediate rotation on suspected compromise

What to do if a secret is accidentally exposed

Immediately: revoke/rotate the exposed secret
Remove from Git: deleting the file is not enough — history persists. Use git filter-repo or contact the Infra Squad
Assess impact: check access logs for the secret during the exposure period
Record the incident: open a ticket in ServiceNow

Patria Tech Docs

Explorer

Patria Tech Docs

Secrets and Credentials Management

Secrets and Credentials Management

Golden rule

Where to store secrets

Mandatory .gitignore

Secret rotation

What to do if a secret is accidentally exposed

Table of Contents

Backlinks