Skip to content
Latchkey

How to Run Access Reviews for CI Secrets

Listing secrets, environments, and who can reach them turns the required periodic access review into a scripted, repeatable export.

Frameworks expect periodic reviews of who can access sensitive credentials. This page enumerates repository and environment secrets plus their reviewers so a human can attest to the list. It is educational; pair it with a ticketed review cadence.

Steps

  • List repository and environment secrets (names only; values are never readable).
  • List environment reviewers who can release with those secrets.
  • Export the results for the reviewer to attest and file with the change record.

Enumerate secrets and reviewers

Terminal
# Repo-level secret names
gh api repos/acme/app/actions/secrets | jq -r '.secrets[].name'

# Environment secret names + protection reviewers
for env in staging production; do
  echo "== $env =="
  gh api repos/acme/app/environments/$env/secrets | jq -r '.secrets[].name'
  gh api repos/acme/app/environments/$env \
    | jq -r '.protection_rules[]?.reviewers[]?.reviewer.login'
done

Notes

  • Secret values are write only; the review is over names, scope, and who can use them.
  • Run this on a schedule and archive the output as the evidence artifact.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →