Migrate deploy/runtime secrets from GitHub Secrets to GCP Secret Manager

[jirhiker]

Migrate deploy/runtime secrets from GitHub Secrets to GCP Secret Manager

Problem

Deploy workflows currently inject many runtime secrets from GitHub Secrets into app.yaml (and env vars), which creates avoidable secret sprawl and increases blast radius.

Examples include:

• CLOUD_SQL_PASSWORD
• PYGEOAPI_POSTGRES_PASSWORD
• SESSION_SECRET_KEY
• GCS_SERVICE_ACCOUNT_KEY
• Auth-related client secrets

Why this matters

• Reduces exposure in CI logs/workflow context
• Centralizes secret lifecycle in GCP
• Improves rotation and auditing
• Keeps GitHub focused on deployment identity (OIDC/service-account auth), not app secret storage

Proposal

1. Store runtime app secrets in GCP Secret Manager.
2. Reference those secrets in deploy/runtime configuration (App Engine / Cloud Run) instead of injecting raw secret values from GitHub.
3. Keep GitHub Secrets only for deployment auth/bootstrap where unavoidable.
4. Remove legacy hardcoded secret-bearing config from repo/workflows once migrated.

Acceptance Criteria

• All runtime application secrets currently sourced from GitHub are sourced from Secret Manager.
• CD workflows no longer inject raw runtime secret values into generated app.yaml.
• Secret rotation documented and tested.
• Deployment succeeds in staging and production after migration.
• Existing services/jobs start and connect successfully with Secret Manager-backed secrets.

Notes

• We recently moved to template-based app.yaml rendering via envsubst; this should be the stepping stone to eliminate direct secret interpolation where possible.
• Roll out in staging first, then production.

[github-actions]

Linked Jira ticket created: BDMS-612