How do you manage secrets in CI/CD and production?

Deep dive

Secrets should be short-lived, scoped, and auditable:

• Use a secrets manager and fetch at runtime (not build time).
• Use OIDC workload identity in CI to get temporary credentials.
• Rotate keys, revoke on incident, and scan for leaked secrets.
• Prevent secrets from appearing in logs or client bundles.

Examples

CI uses OIDC to request short-lived cloud credentials:

GitHub Actions -> OIDC token -> Cloud STS -> temp role creds

Common pitfalls

• Baking secrets into Docker images or front-end bundles.
• Long-lived access keys shared across services.
• Logging secrets by accident (debug or error logs).

Interview follow-ups

• How do you handle secret rotation without downtime?