Now my API keys are encrypted with AES256 and get decrypted in the code pipeline for a new release for every change to the repo.
But if my project were open source then what will prevent an incoming PR which triggers the code pipeline to print the decrypted files in clear text?
If I assume that the project is open source and we did encrypt the API keys. Then an incoming PR could still trigger the Travis pipeline and could output the keys in clear text like this
- openssl aes-256-cbc -K $encrypted_42b9fd1_key -iv $encrypted_42b9fd1_iv -in secrets.tar.enc -out secrets.tar -d
- tar xvf secrets.tar
- cat api-key.json
How to prevent such a scenario ? or did I misunderstand ?