Context
Part of the FIPS-removal effort. See REMOVE_FIPS_PLAN.md for the full plan and premise.
Premise: Per "everything-as-code" principle, replace the "operator runs gh secret delete …" checklist with a committed, idempotent script so the cleanup is reproducible and auditable.
After the FIPS workflows are deleted (see Issue 2) and the CI IAM role is destroyed by Terraform (see Issue 3), these GitHub repo secrets become orphans:
AWS_ROLE_ARNECR_REGISTRY
Scope
Add
scripts/cleanup-fips-secrets.sh — idempotent bash script that:
- Checks
gh secret list --repo "$REPO" for each of the two secrets before calling gh secret delete.
- Prints "already removed" and exits 0 per-secret if absent.
- Accepts
REPO env var (default coder/usgov-deploy-aws).
- Requires
gh authenticated with repo scope on the target repo.
- Passes
shellcheck -x.
- Has
set -euo pipefail and a usage block.
- (Optional but preferred)
.github/workflows/cleanup-fips-secrets.yml — a workflow_dispatch-only workflow that runs the script. Gated on a confirmation input equal to the repo name to prevent accidental runs. Allows cleanup from the Actions tab with no local gh install.
Edit
docs/OPERATIONS.md — add a one-liner under the post-migration section pointing to ./scripts/cleanup-fips-secrets.sh (and/or the workflow_dispatch trigger). Do not reintroduce a manual gh secret delete checklist.
Acceptance criteria
Dependencies
Merges after the FIPS-workflows issue and the Terraform-cleanup issue. The script itself is harmless before those merge (it's a no-op if the secrets are already gone), but chronologically it's the final step.
Notes
This is explicitly in place of a markdown operator checklist, per the "everything as code if it can be" directive. The script is portable and can be re-used by forks / downstream deployments.
Context
Part of the FIPS-removal effort. See
REMOVE_FIPS_PLAN.mdfor the full plan and premise.Premise: Per "everything-as-code" principle, replace the "operator runs
gh secret delete …" checklist with a committed, idempotent script so the cleanup is reproducible and auditable.After the FIPS workflows are deleted (see Issue 2) and the CI IAM role is destroyed by Terraform (see Issue 3), these GitHub repo secrets become orphans:
AWS_ROLE_ARNECR_REGISTRYScope
Add
scripts/cleanup-fips-secrets.sh— idempotent bash script that:gh secret list --repo "$REPO"for each of the two secrets before callinggh secret delete.REPOenv var (defaultcoder/usgov-deploy-aws).ghauthenticated withreposcope on the target repo.shellcheck -x.set -euo pipefailand a usage block..github/workflows/cleanup-fips-secrets.yml— aworkflow_dispatch-only workflow that runs the script. Gated on aconfirmationinput equal to the repo name to prevent accidental runs. Allows cleanup from the Actions tab with no localghinstall.Edit
docs/OPERATIONS.md— add a one-liner under the post-migration section pointing to./scripts/cleanup-fips-secrets.sh(and/or the workflow_dispatch trigger). Do not reintroduce a manualgh secret deletechecklist.Acceptance criteria
scripts/cleanup-fips-secrets.shexists, ischmod +x, and passesshellcheck..github/workflows/cleanup-fips-secrets.ymlhas aworkflow_dispatchtrigger with aconfirmationinput and refuses to run unless the input matches the repo name.docs/OPERATIONS.mdpoints at the script/workflow; nogh secret deleteoperator checklist is reintroduced.Dependencies
Merges after the FIPS-workflows issue and the Terraform-cleanup issue. The script itself is harmless before those merge (it's a no-op if the secrets are already gone), but chronologically it's the final step.
Notes
This is explicitly in place of a markdown operator checklist, per the "everything as code if it can be" directive. The script is portable and can be re-used by forks / downstream deployments.