I am trying to implement CI on Github for my apps using Github Actions.
I just finished automated testing and now am thinking about going all the way and automatically packaging, signing and uploading an app after I create a release on Github.
The “problem” is that I would have to store my private app signing key as a secret on Github. I trust Github to have good security, especially for Secrets but i am still hesitant to upload it there.
On the one hand it could simplify releases a lot and it’s “kinda cool”. On the other hand in a worst case scenario where the key is compromised a malicious attacker could publish malicious code using these (admittedly not that important) apps.
A private key is also different than an API key in so far that while the API key can be changed/deactivated quickly or only offers access to a staging environment, a private key gives you the means of injecting your code into other Nexcloud instances. I might not even realize it was compromised and malicious versions have been updated until a few weeks after.
What do you think, “fellow app developers”?
P.S. Maybe Nextcloud and other apps have been doing this for a long time. If so, I would like to know. Haven’t researched it yet.