akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 8 Packages Projects Releases Wiki Activity

fix(security): remove hardcoded encryption keys from docker compose files

Browse Source 
Replace hardcoded CHARON_ENCRYPTION_KEY with environment variable
substitution using Docker Compose required variable syntax.

docker-compose.playwright.yml: use ${CHARON_ENCRYPTION_KEY:?...}
docker-compose.e2e.yml: use ${CHARON_ENCRYPTION_KEY:?...}
e2e-tests.yml: add ephemeral key generation per CI run
.env.test.example: document the requirement prominently
Security: The old key exists in git history and must never be used
in production. Each CI run now generates a unique ephemeral key.

Refs: OWASP A02:2021 - Cryptographic Failures
This commit is contained in:
GitHub Actions
2026-01-25 03:50:12 +00:00
parent a657d38930
commit 978f698570
4 changed files with 59 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/e2e-tests.yml
+7
View File
@@ -163,6 +163,13 @@ jobs:
docker load -i charon-e2e-image.tar
docker images | grep charon
- name: Generate ephemeral encryption key
run: |
# Generate a unique, ephemeral encryption key for this CI run
# Key is 32 bytes, base64-encoded as required by CHARON_ENCRYPTION_KEY
echo "CHARON_ENCRYPTION_KEY=$(openssl rand -base64 32)" >> $GITHUB_ENV
echo "✅ Generated ephemeral encryption key for E2E tests"
- name: Start test environment
run: |
# Use the committed docker-compose.playwright.yml for E2E testing