Skip to content

Copilot/automated key management system #2670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
al7566 wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Copilot/automated key management system #2670

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
e012c1f
Initial plan
Copilot Jan 3, 2026
c5ba396
Add automated key management system core implementation
Copilot Jan 3, 2026
104a686
Add tests and quick start guide for key management system
Copilot Jan 3, 2026
9fb214e
Add implementation summary for key management system
Copilot Jan 3, 2026
e822d5a
Fix code review issues: encapsulation, module detection, and endpoint…
Copilot Jan 3, 2026
a25a220
Add CI/CD integration guide for key management system
Copilot Jan 3, 2026
a4d7c8f
Add documentation index and final polish to key management system
Copilot Jan 3, 2026
5ea776d
Merge branch 'simstudioai:main' into copilot/automated-key-management…
al7566 Jan 27, 2026
a8c6404
Create .env file with application configuration
al7566 Jan 27, 2026
a5de080
`bash nano apps/sim/.env
al7566 Jan 28, 2026
f545a9f
Merge branch 'simstudioai:main' into copilot/automated-key-management…
al7566 Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 109 additions & 0 deletions .github/workflows/key-manager.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
name: Key Management

on:
workflow_call:
inputs:
command:
description: 'Key management command to run (scan, check, inject)'
required: false
type: string
default: 'scan'
dry_run:
description: 'Run in dry-run mode (no actual changes)'
required: false
type: boolean
default: true
secrets:
KEYFINDER_SECRET:
description: 'Secret for authenticating with external key sources'
required: false
workflow_dispatch:
inputs:
command:
description: 'Key management command to run'
required: false
type: choice
default: 'scan'
options:
- scan
- check
- inject
dry_run:
description: 'Run in dry-run mode (no actual changes)'
required: false
type: boolean
default: true

permissions:
contents: read
secrets: write

jobs:
key-management:
name: Manage API Keys
runs-on: blacksmith-2vcpu-ubuntu-2404

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3

- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: latest

- name: Install dependencies for key manager
working-directory: scripts
run: bun install

- name: Run Key Manager - Scan Phase
id: scan
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
KEYFINDER_SECRET: ${{ secrets.KEYFINDER_SECRET }}
DRY_RUN: ${{ inputs.dry_run }}
run: |
echo "🔍 Running key management: ${{ inputs.command }}"
echo "Repository: $GITHUB_REPOSITORY"
echo "Dry run: $DRY_RUN"

# Run the key manager script
cd scripts
bunx tsx key-manager.ts ${{ inputs.command }}

- name: Generate Summary
if: always()
run: |
echo "### 🔐 Key Management Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Command:** \`${{ inputs.command }}\`" >> $GITHUB_STEP_SUMMARY
echo "**Dry Run:** ${{ inputs.dry_run }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Security Features" >> $GITHUB_STEP_SUMMARY
echo "- ✅ GitHub Secrets masking enabled" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Sensitive data cleared from memory after processing" >> $GITHUB_STEP_SUMMARY
echo "- ✅ No key values logged to output" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Keys only accessible to authorized users and workflows" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Next Steps" >> $GITHUB_STEP_SUMMARY
echo "1. Review the key manager output above" >> $GITHUB_STEP_SUMMARY
echo "2. Verify all required keys are available" >> $GITHUB_STEP_SUMMARY
echo "3. Keys are ready for deployment workflows" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "> **Note:** This workflow uses the 'find, store, inject, forget' pattern" >> $GITHUB_STEP_SUMMARY
echo "> for secure key management. Key values are never exposed in logs." >> $GITHUB_STEP_SUMMARY

- name: Clear Sensitive Data
if: always()
run: |
echo "🧹 Clearing sensitive data from workflow environment..."
# Unset any environment variables that might contain keys
unset KEYFINDER_SECRET
unset GITHUB_TOKEN
echo "✅ Environment cleaned"
10 changes: 10 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,16 @@ If ports 3000, 3002, or 5432 are in use, configure alternatives:
NEXT_PUBLIC_APP_URL=http://localhost:3100 POSTGRES_PORT=5433 docker compose up -d
```

## Key Management

Sim includes an automated key management system for securely handling API keys and secrets. See [Key Management Documentation](docs/KEY_MANAGEMENT.md) for details.

Key features:
- 🔍 Automatic discovery of required environment variables
- 🔐 Secure storage in GitHub repository secrets
- 💉 Smart injection into configuration files
- 🧹 Automatic memory clearing after processing

## Tech Stack

- **Framework**: [Next.js](https://nextjs.org/) (App Router)
Expand Down
58 changes: 58 additions & 0 deletions `bash nano apps/sim/.env
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
`bash
nano apps/sim/.env
# -------------------------------
# Core Application
# -------------------------------
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/simstudio
PORT=3000
SOCKET_PORT=3002
NEXT_PUBLIC_APP_URL=http://localhost:3000

# -------------------------------
# Authentication & Security
# -------------------------------
BETTER_AUTH_SECRET=4f8c9a7d2b6e4a1f9c3d7e8a5b2c6d9f
BETTER_AUTH_URL=http://localhost:3000
ENCRYPTION_KEY=7e2d4c9f1a3b5d8c6f0e9a2b4d7c8f1a
INTERNAL_API_SECRET=9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f
API_ENCRYPTION_KEY=2a4b6c8d0e1f3a5c7d9b2e4f6a8c0d1e

# -------------------------------
# Logging & Monitoring
# -------------------------------
LOG_LEVEL=info
ENABLE_AUDIT_LOGS=true

# -------------------------------
# Copilot Integration
# -------------------------------
COPILOT_API_KEY=your_copilot_api_key_here

# -------------------------------
# Database & Caching
# -------------------------------
POSTGRES_PORT=5432
REDIS_URL=redis://localhost:6379

# -------------------------------
# Email & Notifications
# -------------------------------
SMTP_HOST=smtp.mailtrap.io
SMTP_PORT=587
SMTP_USER=test_user
SMTP_PASS=test_pass
[email protected]

# -------------------------------
# Telephony / Call Handling
# -------------------------------
TWILIO_ACCOUNT_SID=ACXXXXXXXXXXXXXXXXXXXXXXXXXXXX
TWILIO_AUTH_TOKEN=your_twilio_auth_token
TWILIO_PHONE_NUMBER=+15551234567

# -------------------------------
# AI / Model Integration
# -------------------------------
OLLAMA_URL=http://host.docker.internal:11434
VLLM_BASE_URL=http://localhost:8000
VLLM_API_KEY=your_vllm_api_key_here
1 change: 1 addition & 0 deletions `bash nano apps/sim/AI Assistant Download Page.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
https://claude.ai/public/artifacts/3928fe80-45a4-4747-b233-5f90ba56acb5
Binary file added `bash nano apps/sim/Affiliateandsecurityapp-QuickPass (1).zip
View file
Open in desktop
Binary file not shown.
Binary file added `bash nano apps/sim/AgencyRepresentationBrochure.pdf
View file
Open in desktop
Binary file not shown.
Binary file added `bash nano apps/sim/Artist.skbrushes
View file
Open in desktop
Binary file not shown.
Binary file added `bash nano apps/sim/Artist.skbrushes (1)
View file
Open in desktop
Binary file not shown.
Loading