\u0625\u0630\u0627 \u0641\u062d\u0635\u062a \u0627\u0644\u0633\u0628\u0628 \u0627\u0644\u062c\u0630\u0631\u064a \u0644\u0643\u0644 \u0627\u062e\u062a\u0631\u0627\u0642 \u0631\u0626\u064a\u0633\u064a \u062a\u0642\u0631\u064a\u0628\u0627\u064b \u0644\u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0641\u064a \u0627\u0644\u0633\u0646\u0648\u0627\u062a \u0627\u0644\u0623\u062e\u064a\u0631\u0629 \u2014 \u0645\u0646 \u0647\u062c\u0648\u0645 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0639\u0644\u0649 Codecov \u0625\u0644\u0649 \u062d\u0627\u062f\u062b\u0629 \u0627\u0644\u0623\u0645\u0627\u0646 \u0641\u064a CircleCI \u2014 \u0633\u062a\u062c\u062f \u0646\u0641\u0633 \u0627\u0644\u062c\u0627\u0646\u064a: \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0643\u0634\u0648\u0641\u0629. \u0645\u0641\u0627\u062a\u064a\u062d API\u060c \u0648\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629\u060c \u0648\u0643\u0644\u0645\u0627\u062a \u0645\u0631\u0648\u0631 \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a\u060c \u0648\u0634\u0647\u0627\u062f\u0627\u062a \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u2014 \u0647\u0630\u0647 \u0647\u064a \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629 \u0627\u0644\u062a\u064a \u064a\u0633\u0639\u0649 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u0644\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u064a\u0647\u0627\u060c \u0648\u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0647\u064a \u0627\u0644\u0645\u0643\u0627\u0646 \u0627\u0644\u0630\u064a \u064a\u0631\u0643\u0632\u0648\u0646 \u0641\u064a\u0647 \u062c\u0647\u0648\u062f\u0647\u0645.<\/p>\n
\u0627\u0644\u0633\u0628\u0628 \u0647\u064a\u0643\u0644\u064a. \u0641\u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u062a\u0642\u0639 \u0641\u064a \u0645\u0648\u0642\u0639 \u062e\u0637\u064a\u0631 \u0628\u0634\u0643\u0644 \u0641\u0631\u064a\u062f: \u064a\u062c\u0628<\/strong> \u0623\u0646 \u064a\u0643\u0648\u0646 \u0644\u062f\u064a\u0647\u0627 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0644\u0646\u0634\u0631 \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a\u060c \u0648\u0645\u0639 \u0630\u0644\u0643 \u0641\u0647\u064a \u0628\u0637\u0628\u064a\u0639\u062a\u0647\u0627 \u0645\u0624\u0642\u062a\u0629 \u0648\u0645\u062a\u0639\u062f\u062f\u0629 \u0627\u0644\u0645\u0633\u062a\u0623\u062c\u0631\u064a\u0646 \u0648\u0645\u0639\u0631\u0636\u0629 \u0644\u0643\u0648\u062f \u063a\u064a\u0631 \u0645\u0648\u062b\u0648\u0642. \u0643\u0644 \u0637\u0644\u0628 \u0633\u062d\u0628\u060c \u0648\u0643\u0644 \u062a\u062d\u062f\u064a\u062b \u0644\u0644\u062a\u0628\u0639\u064a\u0627\u062a\u060c \u0648\u0643\u0644 \u062f\u0641\u0639 \u0645\u0646 \u0627\u0644\u0645\u0633\u0627\u0647\u0645\u064a\u0646 \u064a\u064f\u0641\u0639\u0651\u0644 \u062a\u0646\u0641\u064a\u0630 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u2014 \u0648\u0643\u0644 \u062a\u0634\u063a\u064a\u0644 \u0647\u0648 \u0646\u0627\u0642\u0644 \u0645\u062d\u062a\u0645\u0644 \u0644\u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631.<\/p>\n \u0627\u0644\u062a\u062d\u062f\u064a \u0644\u064a\u0633 \u0628\u0628\u0633\u0627\u0637\u0629 “\u0644\u0627 \u062a\u0636\u0639 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0641\u064a \u0627\u0644\u0643\u0648\u062f.” \u0628\u0644 \u0647\u0648 \u0623\u0639\u0645\u0642 \u0645\u0646 \u0630\u0644\u0643 \u0628\u0643\u062b\u064a\u0631. \u0643\u064a\u0641 \u062a\u0645\u0646\u062d \u0628\u064a\u0626\u0629 \u062d\u0648\u0633\u0628\u0629 \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0648\u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062e\u0644\u0635 \u0645\u0646\u0647\u0627 \u0648\u0635\u0648\u0644\u0627\u064b \u0625\u0644\u0649 \u0623\u0643\u062b\u0631 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f\u0643 \u062d\u0633\u0627\u0633\u064a\u0629 \u062f\u0648\u0646 \u0623\u0646 \u062a\u062a\u0633\u0631\u0628 \u062a\u0644\u0643 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0625\u0644\u0649 \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0623\u0648 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0623\u0648 \u0627\u0644\u0645\u0647\u0627\u0645 \u0627\u0644\u0644\u0627\u062d\u0642\u0629 \u0623\u0648 \u0623\u064a\u062f\u064a \u0627\u0644\u062c\u0647\u0627\u062a \u0627\u0644\u062e\u0628\u064a\u062b\u0629\u061f \u0647\u0630\u0627 \u0647\u0648 \u0627\u0644\u0633\u0624\u0627\u0644 \u0627\u0644\u0630\u064a \u064a\u062c\u064a\u0628 \u0639\u0644\u064a\u0647 \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644.<\/p>\n \u0633\u0646\u062a\u0646\u0627\u0648\u0644 \u0643\u064a\u0641\u064a\u0629 \u062a\u0639\u0631\u0636 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0644\u0644\u0643\u0634\u0641\u060c \u0648\u0643\u064a\u0641\u064a\u0629 \u062d\u0642\u0646\u0647\u0627 \u0628\u0623\u0645\u0627\u0646\u060c \u0648\u0643\u064a\u0641\u064a\u0629 \u062f\u0645\u062c HashiCorp Vault \u0648\u0627\u062a\u062d\u0627\u062f \u0627\u0644\u0647\u0648\u064a\u0629 \u0627\u0644\u0633\u062d\u0627\u0628\u064a\u0629 \u0627\u0644\u0623\u0635\u0644\u064a\u0629\u060c \u0648\u0645\u0627 \u0647\u064a \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0645\u0636\u0627\u062f\u0629 \u0627\u0644\u062a\u064a \u064a\u062c\u0628 \u062a\u062c\u0646\u0628\u0647\u0627. \u0647\u0630\u0627 \u062f\u0644\u064a\u0644 \u0639\u0645\u0644\u064a \u2014 \u062a\u0648\u0642\u0639 \u0645\u0644\u0641\u0627\u062a YAML \u062d\u0642\u064a\u0642\u064a\u0629 \u0648\u0623\u0648\u0627\u0645\u0631 CLI \u062d\u0642\u064a\u0642\u064a\u0629 \u0648\u0642\u0631\u0627\u0631\u0627\u062a \u0645\u0639\u0645\u0627\u0631\u064a\u0629 \u062d\u0642\u064a\u0642\u064a\u0629.<\/p>\n \u0642\u0628\u0644 \u0623\u0646 \u0646\u0646\u0627\u0642\u0634 \u0627\u0644\u062d\u0644\u0648\u0644\u060c \u0646\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0641\u0647\u0645 \u0645\u0634\u0647\u062f \u0627\u0644\u062a\u0647\u062f\u064a\u062f\u0627\u062a. \u062a\u062a\u0633\u0631\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0645\u0646 \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0639\u0628\u0631 \u0639\u062f\u0629 \u0646\u0648\u0627\u0642\u0644 \u0645\u0648\u062b\u0642\u0629 \u062c\u064a\u062f\u0627\u064b.<\/p>\n \u0623\u0628\u0633\u0637 \u0646\u0627\u0642\u0644 \u062a\u0633\u0631\u064a\u0628 \u2014 \u0648\u0627\u0644\u0630\u064a \u0644\u0627 \u064a\u0632\u0627\u0644 \u0634\u0627\u0626\u0639\u0627\u064b \u0628\u0634\u0643\u0644 \u0645\u0642\u0644\u0642 \u2014 \u0647\u0648 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0645\u0636\u0645\u0646\u0629 \u0645\u0628\u0627\u0634\u0631\u0629 \u0641\u064a \u0645\u0644\u0641\u0627\u062a \u0625\u0639\u062f\u0627\u062f \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0623\u0648 \u0642\u0648\u0627\u0644\u0628 Infrastructure as Code. \u0642\u062f \u064a\u0642\u0648\u0645 \u0645\u0637\u0648\u0631 \u064a\u062e\u062a\u0628\u0631 \u0639\u0645\u0644\u064a\u0629 \u0646\u0634\u0631 \u0628\u0648\u0636\u0639 \u0645\u0641\u062a\u0627\u062d \u0648\u0635\u0648\u0644 AWS \u0641\u064a \u0645\u0644\u0641 \u062a\u0642\u0648\u0645 \u0645\u0646\u0635\u0627\u062a CI \u0639\u0627\u062f\u0629\u064b \u0628\u062d\u0642\u0646 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0643\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0628\u064a\u0626\u0629. \u062a\u0646\u0634\u0623 \u0627\u0644\u0645\u0634\u0643\u0644\u0629 \u0639\u0646\u062f\u0645\u0627 \u062a\u0642\u0648\u0645 \u062e\u0637\u0648\u0627\u062a \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0628\u0637\u0628\u0627\u0639\u0629 \u062a\u0644\u0643 \u0627\u0644\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0625\u0644\u0649 stdout \u0639\u0646 \u063a\u064a\u0631 \u0642\u0635\u062f. \u0623\u0645\u0631 \u0642\u062f \u064a\u0638\u0644 \u0627\u0644\u0633\u0631 \u0627\u0644\u0645\u062d\u0642\u0648\u0646 \u0623\u062b\u0646\u0627\u0621 \u0628\u0646\u0627\u0621 Docker \u0645\u0648\u062c\u0648\u062f\u0627\u064b \u0641\u064a \u0637\u0628\u0642\u0629 \u0648\u0633\u064a\u0637\u0629 \u062d\u062a\u0649 \u0628\u0639\u062f \u062d\u0630\u0641\u0647 \u0641\u064a \u062a\u0639\u0644\u064a\u0645\u0629 \u0647\u0630\u0627 \u0623\u062d\u062f \u0623\u062e\u0637\u0631 \u0627\u0644\u0646\u0648\u0627\u0642\u0644\u060c \u062e\u0627\u0635\u0629 \u0641\u064a \u0645\u0634\u0627\u0631\u064a\u0639 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0645\u0641\u062a\u0648\u062d. \u0644\u0627 \u064a\u0648\u0641\u0631 GitHub Actions\u060c \u0639\u0644\u0649 \u0633\u0628\u064a\u0644 \u0627\u0644\u0645\u062b\u0627\u0644\u060c \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0644\u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u062a\u064a \u064a\u062a\u0645 \u062a\u0634\u063a\u064a\u0644\u0647\u0627 \u0628\u0648\u0627\u0633\u0637\u0629 \u062a\u0642\u0648\u0645 \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0628\u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0624\u0633\u0633\u0629 \u0623\u0648 \u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0629 \u0628\u064a\u0646\u0645\u0627 \u064a\u062c\u0628 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0645\u062d\u0635\u0648\u0631\u0629 \u0641\u064a \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0623\u0648 \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0641\u0631\u062f\u064a\u0629. \u0627\u0644\u0633\u0631 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0624\u0633\u0633\u0629 \u0641\u064a GitHub Actions \u0645\u062a\u0627\u062d \u0644\u0640 \u0643\u0644 \u0645\u0633\u062a\u0648\u062f\u0639<\/em> \u0641\u064a \u062a\u0644\u0643 \u0627\u0644\u0645\u0624\u0633\u0633\u0629. \u0625\u0630\u0627 \u062a\u0645 \u0627\u062e\u062a\u0631\u0627\u0642 \u0623\u064a \u0645\u0646 \u062a\u0644\u0643 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u2014 \u0623\u0648 \u0643\u0627\u0646 \u064a\u062d\u062a\u0648\u064a \u0628\u0628\u0633\u0627\u0637\u0629 \u0639\u0644\u0649 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0645\u064f\u0639\u062f\u0651 \u0628\u0634\u0643\u0644 \u062e\u0627\u0637\u0626 \u2014 \u0641\u0625\u0646 \u062c\u0645\u064a\u0639 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0624\u0633\u0633\u0629 \u0645\u0639\u0631\u0636\u0629 \u0644\u0644\u062e\u0637\u0631.<\/p>\n \u0627\u0644\u0622\u0646 \u0628\u0639\u062f \u0623\u0646 \u0641\u0647\u0645\u0646\u0627 \u0643\u064a\u0641 \u062a\u062a\u0633\u0631\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u062f\u0639\u0648\u0646\u0627 \u0646\u0641\u062d\u0635 \u0643\u064a\u0641\u064a\u0629 \u0625\u062f\u062e\u0627\u0644\u0647\u0627 \u0641\u064a \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0628\u0623\u0645\u0627\u0646.<\/p>\n \u062a\u0648\u0641\u0631 \u0643\u0644 \u0645\u0646\u0635\u0629 CI\/CD \u0631\u0626\u064a\u0633\u064a\u0629 \u0622\u0644\u064a\u0629 \u0645\u062f\u0645\u062c\u0629 \u0644\u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631. \u064a\u062d\u062a\u0648\u064a GitHub Actions \u0639\u0644\u0649 \u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0627\u0644\u0628\u064a\u0626\u0629 \u0648\u0627\u0644\u0645\u0624\u0633\u0633\u0629. \u064a\u062d\u062a\u0648\u064a GitLab CI \u0639\u0644\u0649 \u0645\u062a\u063a\u064a\u0631\u0627\u062a CI\/CD \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0634\u0631\u0648\u0639 \u0648\u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0629 \u0645\u0639 \u0625\u062e\u0641\u0627\u0621 \u0648\u062d\u0645\u0627\u064a\u0629 \u0627\u062e\u062a\u064a\u0627\u0631\u064a\u064a\u0646. \u0647\u0630\u0647 \u0647\u064a \u0623\u0628\u0633\u0637 \u0646\u0642\u0637\u0629 \u0628\u062f\u0627\u064a\u0629.<\/p>\n \u062a\u0639\u062f \u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0646\u0635\u0629 \u0627\u0644\u0623\u0635\u0644\u064a\u0629 \u0643\u0627\u0641\u064a\u0629 \u0644\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u062d\u0627\u0644\u0627\u062a \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645\u060c \u0644\u0643\u0646\u0647\u0627 \u062a\u0639\u0627\u0646\u064a \u0645\u0646 \u0642\u064a\u0648\u062f \u0643\u0628\u064a\u0631\u0629: \u0644\u0627 \u062a\u0648\u0644\u064a\u062f \u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u060c \u0648\u062a\u0633\u062c\u064a\u0644 \u062a\u062f\u0642\u064a\u0642 \u0645\u062d\u062f\u0648\u062f\u060c \u0648\u062a\u062f\u0648\u064a\u0631 \u064a\u062f\u0648\u064a\u060c \u0648\u0639\u062f\u0645 \u0648\u062c\u0648\u062f \u0625\u062f\u0627\u0631\u0629 \u0645\u0631\u0643\u0632\u064a\u0629 \u0639\u0628\u0631 \u0645\u0646\u0635\u0627\u062a \u0645\u062a\u0639\u062f\u062f\u0629.<\/p>\n \u0628\u0627\u0644\u0646\u0633\u0628\u0629 \u0644\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0630\u0627\u062a \u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u0646\u0627\u0636\u062c\u0629\u060c \u064a\u0648\u0641\u0631 \u0645\u062f\u064a\u0631\u0648 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062e\u0627\u0631\u062c\u064a\u0648\u0646 \u2014 HashiCorp Vault \u0648AWS Secrets Manager \u0648GCP Secret Manager \u0648Azure Key Vault \u2014 \u062a\u062d\u0643\u0645\u0627\u064b \u0645\u0631\u0643\u0632\u064a\u0627\u064b \u0648\u062a\u0633\u062c\u064a\u0644 \u062a\u062f\u0642\u064a\u0642 \u0648\u062a\u0648\u0644\u064a\u062f \u0623\u0633\u0631\u0627\u0631 \u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a \u0648\u062a\u062f\u0648\u064a\u0631\u0627\u064b \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0648\u0633\u064a\u0627\u0633\u0627\u062a \u0648\u0635\u0648\u0644 \u062f\u0642\u064a\u0642\u0629. \u0633\u0646\u062a\u0639\u0645\u0642 \u0641\u064a \u062a\u0643\u0627\u0645\u0644 Vault \u0641\u064a \u0627\u0644\u0642\u0633\u0645 \u0627\u0644\u062a\u0627\u0644\u064a.<\/p>\n \u064a\u062a\u0645 \u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u062d\u0645\u0644\u0629 \u0645\u0633\u0628\u0642\u0627\u064b \u0645\u0631\u0629 \u0648\u0627\u062d\u062f\u0629 \u0648\u0625\u062a\u0627\u062d\u062a\u0647\u0627 \u0644\u062c\u0645\u064a\u0639 \u0639\u0645\u0644\u064a\u0627\u062a \u062a\u0634\u063a\u064a\u0644 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628. \u0647\u0630\u0647 \u0647\u064a \u0627\u0644\u0637\u0631\u064a\u0642\u0629 \u0627\u0644\u062a\u064a \u062a\u0639\u0645\u0644 \u0628\u0647\u0627 \u0645\u0639\u0638\u0645 \u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0646\u0635\u0629 \u0627\u0644\u0623\u0635\u0644\u064a\u0629. \u064a\u0633\u062a\u0631\u062c\u0639 \u0627\u0644\u062d\u0642\u0646 \u0627\u0644\u0641\u0648\u0631\u064a (JIT) \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0641\u064a \u0627\u0644\u0644\u062d\u0638\u0629 \u0627\u0644\u062a\u064a \u062a\u0643\u0648\u0646 \u0641\u064a\u0647\u0627 \u0645\u0637\u0644\u0648\u0628\u0629\u060c \u063a\u0627\u0644\u0628\u0627\u064b \u0645\u0639 \u0641\u062a\u0631\u0627\u062a \u0635\u0644\u0627\u062d\u064a\u0629 \u0642\u0635\u064a\u0631\u0629 (TTL). \u0627\u0644\u062d\u0642\u0646 \u0627\u0644\u0641\u0648\u0631\u064a \u0623\u0641\u0636\u0644 \u0644\u0623\u0646\u0647 \u064a\u0642\u0644\u0644 \u0646\u0627\u0641\u0630\u0629 \u0627\u0644\u062a\u0639\u0631\u0636\u060c \u0648\u064a\u0645\u0643\u0651\u0646 \u0645\u0646 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629\u060c \u0648\u064a\u0648\u0641\u0631 \u0645\u0633\u0627\u0631\u0627\u062a \u062a\u062f\u0642\u064a\u0642 \u0644\u0643\u0644 \u062a\u0634\u063a\u064a\u0644.<\/p>\n \u0647\u0646\u0627\u0643 \u0645\u0641\u0647\u0648\u0645 \u062e\u0627\u0637\u0626 \u0634\u0627\u0626\u0639: “\u0645\u064f\u062e\u0641\u0649” \u0644\u0627 \u064a\u0639\u0646\u064a “\u0622\u0645\u0646.” \u0639\u0646\u062f\u0645\u0627 \u064a\u064f\u062e\u0641\u064a GitHub Actions \u0633\u0631\u0627\u064b\u060c \u0641\u0625\u0646\u0647 \u064a\u0642\u0648\u0645 \u0628\u0627\u0633\u062a\u0628\u062f\u0627\u0644 \u0627\u0644\u0646\u0635 \u0641\u064a \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0633\u062c\u0644. \u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u0642\u064a\u0645\u0629 \u0627\u0644\u0633\u0631 \u0642\u0635\u064a\u0631\u0629 (\u0645\u062b\u0644 \u0631\u0645\u0632 \u0645\u0646 4 \u0623\u062d\u0631\u0641)\u060c \u0641\u0642\u062f \u0644\u0627 \u064a\u062a\u0645 \u062a\u0641\u0639\u064a\u0644 \u0627\u0644\u0625\u062e\u0641\u0627\u0621. \u0625\u0630\u0627 \u0643\u0627\u0646 \u0627\u0644\u0633\u0631 \u0645\u0634\u0641\u0631\u0627\u064b \u0628\u0640 base64 \u0623\u0648 \u062a\u0645 \u062a\u062d\u0648\u064a\u0644\u0647 \u0628\u0623\u064a \u0637\u0631\u064a\u0642\u0629\u060c \u0641\u0625\u0646 \u0627\u0644\u0642\u064a\u0645\u0629 \u0627\u0644\u0645\u062d\u0648\u0644\u0629 \u0644\u0646<\/em> \u064a\u062a\u0645 \u0625\u062e\u0641\u0627\u0624\u0647\u0627. \u0627\u0644\u0625\u062e\u0641\u0627\u0621 \u0647\u0648 \u062a\u0633\u0647\u064a\u0644 \u0648\u0644\u064a\u0633 \u062d\u062f\u0627\u064b \u0623\u0645\u0646\u064a\u0627\u064b. \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0634\u0641\u0631\u0629 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u062e\u0632\u064a\u0646 (\u0627\u0644\u062a\u064a \u062a\u0648\u0641\u0631\u0647\u0627 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0646\u0635\u0627\u062a \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629) \u062a\u062d\u0645\u064a \u0645\u0646 \u0627\u062e\u062a\u0631\u0627\u0642 \u0627\u0644\u062a\u062e\u0632\u064a\u0646 \u0639\u0644\u0649 \u062c\u0627\u0646\u0628 \u0627\u0644\u0645\u0646\u0635\u0629 \u0644\u0643\u0646\u0647\u0627 \u0644\u0627 \u062a\u0641\u0639\u0644 \u0634\u064a\u0626\u0627\u064b \u0644\u0645\u0646\u0639 \u0627\u0644\u062a\u0633\u0631\u064a\u0628 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u0634\u063a\u064a\u0644.<\/p>\n \u064a\u064f\u0639\u062f HashiCorp Vault \u0623\u0643\u062b\u0631 \u0645\u062f\u064a\u0631\u064a \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062e\u0627\u0631\u062c\u064a\u064a\u0646 \u0627\u0639\u062a\u0645\u0627\u062f\u0627\u064b \u0644\u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD. \u064a\u062f\u0639\u0645 \u0637\u0631\u0642 \u0645\u0635\u0627\u062f\u0642\u0629 \u0645\u062a\u0639\u062f\u062f\u0629 \u0645\u0646\u0627\u0633\u0628\u0629 \u0644\u0644\u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u0645\u0624\u062a\u0645\u062a\u0629\u060c \u0648\u062a\u0648\u0644\u064a\u062f \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629\u060c \u0648\u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062f\u0642\u064a\u0642\u0629. \u0625\u0644\u064a\u0643 \u0643\u064a\u0641\u064a\u0629 \u062f\u0645\u062c\u0647 \u0645\u0639 \u0623\u0643\u062b\u0631 \u0645\u0646\u0635\u062a\u064a CI\/CD \u0634\u064a\u0648\u0639\u0627\u064b.<\/p>\n AppRole \u0647\u064a \u0637\u0631\u064a\u0642\u0629 \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u0627\u0644\u0645\u0648\u062c\u0647\u0629 \u0644\u0644\u0622\u0644\u0627\u062a \u0641\u064a Vault. \u062a\u0633\u062a\u062e\u062f\u0645 Role ID (\u0645\u062b\u0644 \u0627\u0633\u0645 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645) \u0648Secret ID (\u0645\u062b\u0644 \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631) \u0644\u0644\u0645\u0635\u0627\u062f\u0642\u0629. \u064a\u0645\u0643\u0646 \u062a\u0643\u0648\u064a\u0646 Secret ID \u0644\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0644\u0645\u0631\u0629 \u0648\u0627\u062d\u062f\u0629 \u0645\u0639 \u0641\u062a\u0631\u0629 \u0635\u0644\u0627\u062d\u064a\u0629 \u0645\u062d\u062f\u062f\u0629 (TTL)\u060c \u0645\u0645\u0627 \u064a\u062c\u0639\u0644\u0647 \u0645\u0646\u0627\u0633\u0628\u0627\u064b \u0644\u0639\u064f\u0642\u062f CI.<\/p>\n \u0627\u0644\u0646\u0647\u062c \u0627\u0644\u062d\u062f\u064a\u062b \u0648\u0627\u0644\u0645\u0641\u0636\u0644 \u0644\u0640 GitHub Actions \u0647\u0648 \u0645\u0635\u0627\u062f\u0642\u0629 JWT\/OIDC. \u064a\u0645\u0643\u0646 \u0644\u0640 GitHub Actions \u0625\u0635\u062f\u0627\u0631 \u0631\u0645\u0632 OIDC \u0644\u0643\u0644 \u062a\u0634\u063a\u064a\u0644 \u0644\u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644\u060c \u0648\u064a\u0645\u0643\u0646 \u0644\u0640 Vault \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0635\u062d\u0629 \u0647\u0630\u0627 \u0627\u0644\u0631\u0645\u0632 \u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u2014 \u0645\u0645\u0627 \u064a\u0644\u063a\u064a \u0627\u0644\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u062a\u062e\u0632\u064a\u0646 \u0623\u064a \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f Vault \u0641\u064a GitHub.<\/p>\n \u062b\u0645 \u0641\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0627\u0644\u062e\u0627\u0635 \u0628\u0643\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u064a\u062a\u0645\u062a\u0639 GitLab CI \u0628\u062f\u0639\u0645 \u0623\u0635\u0644\u064a \u0644\u062a\u0643\u0627\u0645\u0644 Vault \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0648\u0641\u064a \u0645\u0644\u0641 \u0625\u062d\u062f\u0649 \u0623\u0642\u0648\u0649 \u0645\u064a\u0632\u0627\u062a Vault \u0647\u064a \u062a\u0648\u0644\u064a\u062f \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u062a\u062e\u0632\u064a\u0646 \u0643\u0644\u0645\u0627\u062a \u0645\u0631\u0648\u0631 \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u062b\u0627\u0628\u062a\u0629\u060c \u064a\u0645\u0643\u0646 \u0644\u0640 Vault \u0625\u0646\u0634\u0627\u0621 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u062d\u0633\u0628 \u0627\u0644\u0637\u0644\u0628. \u0639\u0646\u062f\u0645\u0627 \u064a\u0646\u062a\u0647\u064a \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628\u060c \u062a\u0646\u062a\u0647\u064a \u0635\u0644\u0627\u062d\u064a\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b.<\/p>\n \u062a\u064f\u0632\u064a\u0644 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629 \u0645\u0634\u0643\u0644\u0629 \u062a\u062f\u0648\u064a\u0631 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0628\u0627\u0644\u0643\u0627\u0645\u0644. \u064a\u062d\u0635\u0644 \u0643\u0644 \u062a\u0634\u063a\u064a\u0644 \u0644\u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0639\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0641\u0631\u064a\u062f\u0629 \u062e\u0627\u0635\u0629 \u0628\u0647\u060c \u0648\u062a\u0646\u062a\u0647\u064a \u0635\u0644\u0627\u062d\u064a\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0645\u0643\u0634\u0648\u0641\u0629 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b.<\/p>\n \u0623\u0647\u0645 \u062a\u0637\u0648\u0631 \u0641\u064a \u0625\u062f\u0627\u0631\u0629 \u0623\u0633\u0631\u0627\u0631 CI\/CD \u0641\u064a \u0627\u0644\u0633\u0646\u0648\u0627\u062a \u0627\u0644\u0623\u062e\u064a\u0631\u0629 \u0647\u0648 \u0627\u062a\u062d\u0627\u062f \u0647\u0648\u064a\u0629 \u0623\u062d\u0645\u0627\u0644 \u0627\u0644\u0639\u0645\u0644 (Workload Identity Federation) \u2014 \u0642\u062f\u0631\u0629 \u0645\u0646\u0635\u0629 CI\/CD \u0639\u0644\u0649 \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u0645\u0628\u0627\u0634\u0631\u0629 \u0645\u0639 \u0645\u0632\u0648\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0647\u0648\u064a\u062a\u0647\u0627 \u0627\u0644\u062e\u0627\u0635\u0629\u060c \u062f\u0648\u0646 \u0623\u064a \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u062e\u0632\u0646\u0629.<\/p>\n \u064a\u0645\u0643\u0646 \u0644\u0640 GitHub Actions \u062a\u0648\u0644\u064a \u062f\u0648\u0631 AWS IAM \u0645\u0628\u0627\u0634\u0631\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u062a\u062d\u0627\u062f OIDC. \u0644\u0627 \u064a\u062a\u0645 \u062a\u062e\u0632\u064a\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0648\u0635\u0648\u0644 AWS \u0641\u064a \u0623\u064a \u0645\u0643\u0627\u0646.<\/p>\n \u062a\u062f\u0639\u0645 Google Cloud \u0646\u0641\u0633 \u0627\u0644\u0646\u0645\u0637 \u0645\u0646 \u062e\u0644\u0627\u0644 Workload Identity Federation.<\/p>\n \u064a\u062f\u0639\u0645 GitLab CI \u0646\u0641\u0633 \u0646\u0645\u0637 \u0627\u062a\u062d\u0627\u062f OIDC \u0645\u0639 AWS \u0648GCP \u0648Azure. \u0627\u0644\u062a\u0643\u0648\u064a\u0646 \u0645\u0634\u0627\u0628\u0647 \u2014 \u062a\u0642\u0648\u0645 \u0628\u062a\u0643\u0648\u064a\u0646 \u0645\u0632\u0648\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0644\u064a\u062b\u0642 \u0628\u0645\u064f\u0635\u062f\u0631 OIDC \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 GitLab \u0648\u0631\u0628\u0637 \u0627\u0644\u0648\u0635\u0648\u0644 \u0628\u0645\u0639\u0631\u0641\u0627\u062a \u0645\u0634\u0627\u0631\u064a\u0639 \u0623\u0648 \u0641\u0631\u0648\u0639 \u0623\u0648 \u0628\u064a\u0626\u0627\u062a \u0645\u062d\u062f\u062f\u0629.<\/p>\n \u0645\u0632\u0627\u064a\u0627 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0645\u062a\u062d\u062f\u0629 \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0645\u0642\u0627\u0631\u0646\u0629 \u0628\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u062e\u0632\u0646\u0629 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0623\u0645\u062f \u0643\u0628\u064a\u0631\u0629:<\/p>\n \u0645\u0639\u0631\u0641\u0629 \u0645\u0627 \u0644\u0627<\/em> \u064a\u062c\u0628 \u0641\u0639\u0644\u0647 \u0644\u0627 \u064a\u0642\u0644 \u0623\u0647\u0645\u064a\u0629 \u0639\u0646 \u0645\u0639\u0631\u0641\u0629 \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0635\u062d\u064a\u062d\u0629. \u062a\u064f\u0644\u0627\u062d\u0638 \u0647\u0630\u0647 \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0645\u0636\u0627\u062f\u0629 \u0628\u0627\u0646\u062a\u0638\u0627\u0645 \u0641\u064a \u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/p>\n \u062a\u064f\u0639\u062f \u0631\u0645\u0648\u0632 \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0634\u062e\u0635\u064a\u0629 (PATs) \u0627\u0644\u0645\u0631\u062a\u0628\u0637\u0629 \u0628\u062d\u0633\u0627\u0628\u0627\u062a \u0627\u0644\u0645\u0637\u0648\u0631\u064a\u0646 \u0627\u0644\u0623\u0641\u0631\u0627\u062f \u0623\u062d\u062f \u0623\u0643\u062b\u0631 \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0634\u064a\u0648\u0639\u0627\u064b \u0648\u0623\u062e\u0637\u0631\u0647\u0627. \u0639\u0646\u062f\u0645\u0627 \u064a\u063a\u0627\u062f\u0631 \u0645\u0637\u0648\u0631 \u0627\u0644\u0645\u0624\u0633\u0633\u0629\u060c \u0642\u062f \u064a\u0633\u062a\u0645\u0631 \u0631\u0645\u0632 PAT \u0627\u0644\u062e\u0627\u0635 \u0628\u0647 \u0641\u064a \u0627\u0644\u0639\u0645\u0644. \u0639\u0627\u062f\u0629\u064b \u0645\u0627 \u062a\u062a\u0645\u062a\u0639 \u0631\u0645\u0648\u0632 PATs \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0648\u0627\u0633\u0639\u0629 \u2014 \u0623\u0643\u062b\u0631 \u0628\u0643\u062b\u064a\u0631 \u0645\u0645\u0627 \u064a\u062d\u062a\u0627\u062c\u0647 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628. \u0625\u0630\u0627 \u062a\u0645 \u062a\u0633\u0631\u064a\u0628\u0647\u060c \u064a\u062d\u0635\u0644 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0639\u0644\u0649 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0643\u0644 \u0645\u0627 \u064a\u0645\u0643\u0646 \u0644\u0630\u0644\u0643 \u0627\u0644\u0645\u0637\u0648\u0631 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u064a\u0647.<\/p>\n \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643:<\/strong> \u0627\u0633\u062a\u062e\u062f\u0645 \u062d\u0633\u0627\u0628\u0627\u062a \u0622\u0644\u064a\u0629 \u0645\u0639 \u0631\u0645\u0648\u0632 \u0645\u062d\u062f\u062f\u0629 \u0627\u0644\u0646\u0637\u0627\u0642\u060c \u0623\u0648 \u0627\u0644\u0623\u0641\u0636\u0644 \u0645\u0646 \u0630\u0644\u0643\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u0631\u0645\u0648\u0632 \u062a\u062b\u0628\u064a\u062a GitHub App \u0623\u0648 \u0627\u062a\u062d\u0627\u062f OIDC.<\/p>\n \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0646\u0641\u0633 \u0643\u0644\u0645\u0629 \u0645\u0631\u0648\u0631 \u0642\u0627\u0639\u062f\u0629 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0644\u0644\u062a\u0637\u0648\u064a\u0631 \u0648\u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0648\u0627\u0644\u0625\u0646\u062a\u0627\u062c \u2014 \u0623\u0648 \u0646\u0641\u0633 \u0645\u0641\u062a\u0627\u062d API \u0644\u062c\u0645\u064a\u0639 \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u2014 \u064a\u0639\u0646\u064a \u0623\u0646 \u0627\u062e\u062a\u0631\u0627\u0642 \u0623\u0642\u0644 \u0628\u064a\u0626\u0627\u062a\u0643 \u062a\u0623\u0645\u064a\u0646\u0627\u064b (\u0639\u0627\u062f\u0629\u064b \u0628\u064a\u0626\u0629 \u0627\u0644\u062a\u0637\u0648\u064a\u0631) \u064a\u0645\u0646\u062d \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0648\u0635\u0648\u0644\u0627\u064b \u0625\u0644\u0649 \u0627\u0644\u0625\u0646\u062a\u0627\u062c. \u0641\u0635\u0644 \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0644\u0627 \u0645\u0639\u0646\u0649 \u0644\u0647 \u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0645\u062a\u0637\u0627\u0628\u0642\u0629.<\/p>\n \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643:<\/strong> \u0627\u0633\u062a\u062e\u062f\u0645 \u0623\u0633\u0631\u0627\u0631\u0627\u064b \u0645\u062d\u062f\u062f\u0629 \u0627\u0644\u0646\u0637\u0627\u0642 \u062d\u0633\u0628 \u0627\u0644\u0628\u064a\u0626\u0629. \u0641\u064a GitHub Actions\u060c \u0642\u0645 \u0628\u062a\u0643\u0648\u064a\u0646 \u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u0645\u0639 \u0645\u062e\u0627\u0632\u0646 \u0623\u0633\u0631\u0627\u0631 \u062e\u0627\u0635\u0629 \u0628\u0647\u0627. \u0641\u064a GitLab\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0645\u062d\u0645\u064a\u0629 \u0627\u0644\u0645\u062d\u062f\u062f\u0629 \u0644\u0628\u064a\u0626\u0627\u062a \u0645\u0639\u064a\u0646\u0629.<\/p>\n \u0639\u0646\u062f\u0645\u0627 \u064a\u062a\u0645 \u062a\u0633\u062c\u064a\u0644 \u0633\u0631 \u0639\u0646 \u0637\u0631\u064a\u0642 \u0627\u0644\u062e\u0637\u0623\u060c \u0623\u0648 \u0625\u0636\u0627\u0641\u062a\u0647 \u0625\u0644\u0649 \u0645\u0633\u062a\u0648\u062f\u0639\u060c \u0623\u0648 \u0643\u0634\u0641\u0647 \u0641\u064a \u0645\u062e\u0631\u062c\u0627\u062a \u0628\u0646\u0627\u0621\u060c \u062a\u0643\u062a\u0641\u064a \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u0641\u0631\u0642 \u0628\u062d\u0630\u0641 \u0627\u0644\u0633\u062c\u0644 \u0623\u0648 \u0625\u0632\u0627\u0644\u0629 \u0627\u0644\u0640 commit \u062f\u0648\u0646 \u062a\u062f\u0648\u064a\u0631 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f. \u0647\u0630\u0627 \u063a\u064a\u0631 \u0643\u0627\u0641\u064d. \u064a\u062c\u0628 \u0623\u0646 \u062a\u0641\u062a\u0631\u0636 \u0623\u0646 \u0627\u0644\u0633\u0631 \u0642\u062f \u062a\u0645 \u0631\u0635\u062f\u0647 \u0648\u062a\u0642\u0648\u0645 \u0628\u062a\u062f\u0648\u064a\u0631\u0647 \u0641\u0648\u0631\u0627\u064b.<\/p>\n \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643:<\/strong> \u062a\u0639\u0627\u0645\u0644 \u0645\u0639 \u0623\u064a \u0643\u0634\u0641 \u0639\u0644\u0649 \u0623\u0646\u0647 \u0627\u062e\u062a\u0631\u0627\u0642. \u0642\u0645 \u0628\u0627\u0644\u062a\u062f\u0648\u064a\u0631 \u0641\u0648\u0631\u0627\u064b. \u0623\u062a\u0645\u062a \u0627\u0644\u062a\u062f\u0648\u064a\u0631 \u062d\u064a\u062b\u0645\u0627 \u0623\u0645\u0643\u0646. \u0627\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629 \u0644\u062c\u0639\u0644 \u0627\u0644\u0645\u0634\u0643\u0644\u0629 \u063a\u064a\u0631 \u0630\u0627\u062a \u0635\u0644\u0629.<\/p>\n \u064a\u0639\u0645\u0644 \u062d\u062f\u062b \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643:<\/strong> \u0644\u0627 \u062a\u0642\u0645 \u0623\u0628\u062f\u0627\u064b \u0628\u0633\u062d\u0628 \u0648\u062a\u0646\u0641\u064a\u0630 \u0643\u0648\u062f \u0637\u0644\u0628 \u0627\u0644\u0633\u062d\u0628 \u0641\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 \u0644\u0627 \u064a\u0643\u0641\u064a \u0623\u064a \u062a\u062d\u0643\u0645 \u0648\u0627\u062d\u062f \u0628\u0645\u0641\u0631\u062f\u0647. \u062a\u062a\u0637\u0644\u0628 \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0641\u0639\u0627\u0644\u0629 \u0637\u0628\u0642\u0627\u062a \u062f\u0641\u0627\u0639\u064a\u0629 \u0645\u062a\u0639\u062f\u062f\u0629 \u0648\u0645\u062a\u062f\u0627\u062e\u0644\u0629.<\/p>\n \u0646\u0641\u0651\u0630 \u0627\u0644\u0641\u062d\u0635 \u0641\u064a \u062b\u0644\u0627\u062b \u0645\u0631\u0627\u062d\u0644:<\/p>\n \u064a\u062c\u0628 \u062a\u0633\u062c\u064a\u0644 \u0643\u0644 \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0633\u0631. \u064a\u0648\u0641\u0631 Vault \u0633\u062c\u0644\u0627\u062a \u062a\u062f\u0642\u064a\u0642 \u0645\u0641\u0635\u0644\u0629 \u0628\u0634\u0643\u0644 \u0627\u0641\u062a\u0631\u0627\u0636\u064a. \u064a\u062a\u0643\u0627\u0645\u0644 \u0645\u062f\u064a\u0631\u0648 \u0623\u0633\u0631\u0627\u0631 \u0645\u0632\u0648\u062f\u064a \u0627\u0644\u0633\u062d\u0627\u0628\u0629 (AWS Secrets Manager \u0648GCP Secret Manager) \u0645\u0639 CloudTrail \u0648Cloud Audit Logs \u0639\u0644\u0649 \u0627\u0644\u062a\u0648\u0627\u0644\u064a. \u0628\u0627\u0644\u0646\u0633\u0628\u0629 \u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0646\u0635\u0629 \u0627\u0644\u0623\u0635\u0644\u064a\u0629\u060c \u0641\u0639\u0651\u0644 \u0645\u064a\u0632\u0627\u062a \u0633\u062c\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u0645\u062a\u0627\u062d\u0629 \u0641\u064a GitHub Enterprise \u0623\u0648 GitLab Ultimate.<\/p>\n \u0637\u0628\u0651\u0642 \u0645\u0628\u062f\u0623 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0628\u0634\u0643\u0644 \u0635\u0627\u0631\u0645:<\/p>\n \u064a\u062c\u0628 \u062a\u062f\u0648\u064a\u0631 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062b\u0627\u0628\u062a\u0629 \u0648\u0641\u0642 \u062c\u062f\u0648\u0644 \u0645\u0646\u062a\u0638\u0645 \u0648\u0641\u0648\u0631\u0627\u064b \u0628\u0639\u062f \u0623\u064a \u0643\u0634\u0641 \u0645\u0634\u062a\u0628\u0647 \u0628\u0647. \u0623\u062a\u0645\u062a \u0647\u0630\u0647 \u0627\u0644\u0639\u0645\u0644\u064a\u0629:<\/p>\n \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0644\u064a\u0633\u062a \u062e\u0627\u0646\u0629 \u064a\u062a\u0645 \u062a\u062d\u062f\u064a\u062f\u0647\u0627 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0623\u0648\u0644\u064a \u0644\u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628. \u0625\u0646\u0647\u0627 \u0645\u0645\u0627\u0631\u0633\u0629 \u0645\u0633\u062a\u0645\u0631\u0629 \u064a\u062c\u0628 \u0623\u0646 \u062a\u062a\u0637\u0648\u0631 \u0645\u0639 \u0646\u0645\u0648 \u0628\u0646\u064a\u062a\u0643 \u0627\u0644\u062a\u062d\u062a\u064a\u0629\u060c \u0648\u0645\u0639 \u0638\u0647\u0648\u0631 \u062a\u0642\u0646\u064a\u0627\u062a \u0647\u062c\u0648\u0645 \u062c\u062f\u064a\u062f\u0629\u060c \u0648\u0645\u0639 \u062a\u063a\u064a\u0631 \u0641\u0631\u064a\u0642\u0643. \u062a\u0645\u062b\u0644 \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0645\u0648\u0635\u0648\u0641\u0629 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u2014 \u0627\u062a\u062d\u0627\u062f OIDC\u060c \u0648\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629\u060c \u0648\u0627\u0644\u062d\u0642\u0646 \u0627\u0644\u0641\u0648\u0631\u064a\u060c \u0648\u062a\u062d\u062f\u064a\u062f \u0646\u0637\u0627\u0642 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a\u060c \u0648\u0627\u0644\u0641\u062d\u0635 \u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0637\u0628\u0642\u0627\u062a \u2014 \u0623\u062d\u062f\u062b \u0645\u0627 \u062a\u0648\u0635\u0644\u062a \u0625\u0644\u064a\u0647 \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0627\u062a \u0627\u0644\u062d\u0627\u0644\u064a\u0629\u060c \u0644\u0643\u0646\u0647\u0627 \u062a\u062a\u0637\u0644\u0628 \u0627\u0647\u062a\u0645\u0627\u0645\u0627\u064b \u0645\u0633\u062a\u0645\u0631\u0627\u064b.<\/p>\n \u0627\u0628\u062f\u0623 \u0628\u062a\u062f\u0642\u064a\u0642 \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062d\u0627\u0644\u064a\u0629. \u062d\u062f\u062f \u0643\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u062e\u0632\u0646\u0629. \u0644\u0643\u0644 \u0648\u0627\u062d\u062f \u0645\u0646\u0647\u0627\u060c \u0627\u0633\u0623\u0644: \u0647\u0644 \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u0628\u062f\u0627\u0644 \u0647\u0630\u0627 \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0623\u0648 \u0627\u062a\u062d\u0627\u062f \u0647\u0648\u064a\u0629 \u0623\u062d\u0645\u0627\u0644 \u0627\u0644\u0639\u0645\u0644\u061f \u0647\u0644 \u064a\u0645\u0643\u0646 \u062a\u0636\u064a\u064a\u0642 \u0647\u0630\u0627 \u0627\u0644\u0646\u0637\u0627\u0642\u061f \u0647\u0644 \u064a\u062a\u0645 \u062a\u0633\u062c\u064a\u0644 \u0647\u0630\u0627 \u0627\u0644\u0633\u0631 \u0641\u064a \u0623\u064a \u0645\u0643\u0627\u0646\u061f \u0647\u0644 \u064a\u0648\u062c\u062f \u0645\u0633\u0627\u0631 \u062a\u062f\u0642\u064a\u0642 \u0644\u0643\u0644 \u0648\u0635\u0648\u0644\u061f<\/p>\n \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0639\u0627\u0646\u064a \u0645\u0646 \u0627\u062e\u062a\u0631\u0627\u0642\u0627\u062a CI\/CD \u0644\u064a\u0633\u062a \u062a\u0644\u0643 \u0627\u0644\u062a\u064a \u0644\u0645 \u062a\u062e\u0632\u0646 \u0633\u0631\u0627\u064b \u0623\u0628\u062f\u0627\u064b \u2014 \u0641\u0647\u0630\u0627 \u0645\u0633\u062a\u062d\u064a\u0644. \u0625\u0646\u0647\u0627 \u062a\u0644\u0643 \u0627\u0644\u062a\u064a \u062a\u0639\u0627\u0645\u0644\u062a \u0645\u0639 \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0643\u0645\u0647\u0645\u0629 \u062a\u0643\u0648\u064a\u0646 \u0644\u0645\u0631\u0629 \u0648\u0627\u062d\u062f\u0629 \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0645\u0645\u0627\u0631\u0633\u0629 \u0623\u0645\u0646\u064a\u0629 \u062d\u064a\u0629. \u0627\u0628\u0646\u0650 \u0627\u0644\u0623\u062a\u0645\u062a\u0629\u060c \u0648\u0637\u0628\u0651\u0642 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a\u060c \u0648\u0631\u0627\u0642\u0628 \u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0648\u0635\u0648\u0644\u060c \u0648\u0643\u0631\u0631 \u0627\u0644\u0639\u0645\u0644\u064a\u0629. \u0633\u062a\u0643\u0648\u0646 \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0623\u0635\u0639\u0628 \u0628\u0643\u062b\u064a\u0631 \u0641\u064a \u0627\u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u0646\u062a\u064a\u062c\u0629 \u0644\u0630\u0644\u0643.<\/p>\n","protected":false},"excerpt":{"rendered":" \u0645\u0642\u062f\u0645\u0629: \u0644\u0645\u0627\u0630\u0627 \u062a\u064f\u0639\u062f \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0633\u0628\u0628 \u0627\u0644\u0623\u0648\u0644 \u0644\u0627\u062e\u062a\u0631\u0627\u0642 CI\/CD \u0625\u0630\u0627 \u0641\u062d\u0635\u062a \u0627\u0644\u0633\u0628\u0628 \u0627\u0644\u062c\u0630\u0631\u064a \u0644\u0643\u0644 \u0627\u062e\u062a\u0631\u0627\u0642 \u0631\u0626\u064a\u0633\u064a \u062a\u0642\u0631\u064a\u0628\u0627\u064b \u0644\u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0641\u064a \u0627\u0644\u0633\u0646\u0648\u0627\u062a \u0627\u0644\u0623\u062e\u064a\u0631\u0629 \u2014 \u0645\u0646 \u0647\u062c\u0648\u0645 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0639\u0644\u0649 Codecov \u0625\u0644\u0649 \u062d\u0627\u062f\u062b\u0629 \u0627\u0644\u0623\u0645\u0627\u0646 \u0641\u064a CircleCI \u2014 \u0633\u062a\u062c\u062f \u0646\u0641\u0633 \u0627\u0644\u062c\u0627\u0646\u064a: \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0643\u0634\u0648\u0641\u0629. \u0645\u0641\u0627\u062a\u064a\u062d API\u060c \u0648\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629\u060c \u0648\u0643\u0644\u0645\u0627\u062a \u0645\u0631\u0648\u0631 \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a\u060c \u0648\u0634\u0647\u0627\u062f\u0627\u062a \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u2014 \u0647\u0630\u0647 \u0647\u064a \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d … \u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,28],"tags":[],"post_folder":[],"class_list":["post-779","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-pipeline-hardening"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=779"}],"version-history":[{"count":1,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/779\/revisions"}],"predecessor-version":[{"id":781,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/779\/revisions\/781"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=779"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u0643\u064a\u0641 \u062a\u062a\u0639\u0631\u0636 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0644\u0644\u0643\u0634\u0641 \u0641\u064a CI\/CD<\/h2>\n
\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0636\u0645\u0646\u0629 \u0641\u064a \u0645\u0644\u0641\u0627\u062a \u0625\u0639\u062f\u0627\u062f \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0648 IaC<\/h3>\n
.github\/workflows\/deploy.yml<\/code> \u0623\u0648 \u0645\u0644\u0641 Terraform main.tf<\/code>\u060c \u062b\u0645 \u064a\u0642\u0648\u0645 \u0628\u0639\u0645\u0644 commit \u0648\u064a\u0646\u0633\u0649 \u0627\u0644\u0623\u0645\u0631. \u062d\u062a\u0649 \u0644\u0648 \u062a\u0645\u062a \u0625\u0632\u0627\u0644\u062a\u0647 \u0641\u064a commit \u0644\u0627\u062d\u0642\u060c \u064a\u0628\u0642\u0649 \u0627\u0644\u0633\u0631 \u0645\u0648\u062c\u0648\u062f\u0627\u064b \u0625\u0644\u0649 \u0627\u0644\u0623\u0628\u062f \u0641\u064a \u0633\u062c\u0644 Git.<\/p>\n# NEVER DO THIS \u2014 hardcoded credentials in a workflow file\njobs:\n deploy:\n runs-on: ubuntu-latest\n env:\n AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE\n AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY\n steps:\n - run: aws s3 sync .\/build s3:\/\/my-bucket<\/code><\/pre>\n\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0641\u064a \u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0628\u064a\u0626\u0629 \u0627\u0644\u0645\u0637\u0628\u0648\u0639\u0629 \u0641\u064a \u0627\u0644\u0633\u062c\u0644\u0627\u062a<\/h3>\n
env<\/code> \u063a\u064a\u0631 \u0645\u062f\u0631\u0648\u0633\u060c \u0623\u0648 printenv<\/code> \u0644\u0644\u062a\u0635\u062d\u064a\u062d\u060c \u0623\u0648 \u0623\u062f\u0627\u0629 \u0645\u0637\u0648\u0644\u0629 \u062a\u0639\u0631\u0636 \u0625\u0639\u062f\u0627\u062f\u0627\u062a\u0647\u0627 \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u0643\u0634\u0641 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0641\u064a \u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062a\u064a \u063a\u0627\u0644\u0628\u0627\u064b \u0645\u0627 \u064a\u062a\u0645 \u0627\u0644\u0627\u062d\u062a\u0641\u0627\u0638 \u0628\u0647\u0627 \u0644\u0623\u064a\u0627\u0645 \u0623\u0648 \u0623\u0633\u0627\u0628\u064a\u0639 \u0648\u064a\u0645\u0643\u0646 \u0644\u062c\u0645\u064a\u0639 \u0623\u0639\u0636\u0627\u0621 \u0627\u0644\u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u064a\u0647\u0627.<\/p>\n# Dangerous: this prints ALL environment variables, including secrets\n- run: printenv | sort\n\n# Also dangerous: verbose flags in tools that dump config\n- run: terraform plan -debug<\/code><\/pre>\n\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u062d\u0641\u0648\u0638\u0629 \u0641\u064a \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0623\u0648 \u0637\u0628\u0642\u0627\u062a \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a<\/h3>\n
RUN<\/code> \u0644\u0627\u062d\u0642\u0629. \u0648\u0628\u0627\u0644\u0645\u062b\u0644\u060c \u0642\u062f \u062a\u062d\u062a\u0648\u064a \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u2014 \u0645\u0644\u0641\u0627\u062a JAR \u0648ZIP \u0648\u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062a\u0646\u0641\u064a\u0630\u064a\u0629 \u0627\u0644\u0645\u062c\u0645\u0639\u0629 \u2014 \u0639\u0644\u0649 \u0645\u0644\u0641\u0627\u062a \u0625\u0639\u062f\u0627\u062f \u062a\u062a\u0636\u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0643\u0627\u0646\u062a \u0645\u0648\u062c\u0648\u062f\u0629 \u0648\u0642\u062a \u0627\u0644\u0628\u0646\u0627\u0621.<\/p>\n# BAD: The secret persists in the layer created by the COPY instruction\nCOPY .env \/app\/.env\nRUN \/app\/setup.sh\nRUN rm \/app\/.env # Too late \u2014 it is still in a previous layer<\/code><\/pre>\n\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u062a\u0627\u062d\u0629 \u0644\u0633\u064a\u0631 \u0639\u0645\u0644 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0633\u062d\u0628 \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u062b\u0648\u0642\u0629<\/h3>\n
pull_request<\/code> \u0645\u0646 \u0627\u0644\u0646\u0633\u062e \u0627\u0644\u0645\u062a\u0634\u0639\u0628\u0629 \u2014 \u0648\u0630\u0644\u0643 \u062d\u0633\u0628 \u0627\u0644\u062a\u0635\u0645\u064a\u0645. \u0648\u0645\u0639 \u0630\u0644\u0643\u060c \u0641\u0625\u0646 \u062d\u062f\u062b pull_request_target<\/code> \u0644\u062f\u064a\u0647<\/em> \u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u0648\u0625\u0630\u0627 \u0642\u0627\u0645 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0628\u0633\u062d\u0628 \u0648\u062a\u0646\u0641\u064a\u0630 \u0643\u0648\u062f \u0645\u0624\u0644\u0641 \u0637\u0644\u0628 \u0627\u0644\u0633\u062d\u0628\u060c \u0641\u0625\u0646\u0647 \u064a\u0646\u0634\u0626 \u0645\u0633\u0627\u0631\u0627\u064b \u0645\u0628\u0627\u0634\u0631\u0627\u064b \u0644\u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0623\u0633\u0631\u0627\u0631.<\/p>\n\u0646\u0637\u0627\u0642\u0627\u062a \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0648\u0627\u0633\u0639\u0629 \u0628\u0634\u0643\u0644 \u0645\u0641\u0631\u0637<\/h3>\n
\u0623\u0646\u0645\u0627\u0637 \u062d\u0642\u0646 \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/h2>\n
\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u0646\u0635\u0629 \u0627\u0644\u0623\u0635\u0644\u064a\u0629<\/h3>\n
# GitHub Actions: referencing a repository secret\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - name: Deploy to production\n env:\n API_KEY: ${{ secrets.PRODUCTION_API_KEY }}\n run: .\/deploy.sh<\/code><\/pre>\n# GitLab CI: using a masked, protected variable\ndeploy:\n stage: deploy\n script:\n - echo \"Deploying with masked credentials\"\n - .\/deploy.sh\n variables:\n API_KEY: $PRODUCTION_API_KEY\n only:\n - main<\/code><\/pre>\n\u0645\u062f\u064a\u0631\u0648 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062e\u0627\u0631\u062c\u064a\u0648\u0646<\/h3>\n
\u0627\u0644\u062d\u0642\u0646 \u0627\u0644\u0641\u0648\u0631\u064a \u0645\u0642\u0627\u0628\u0644 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u062d\u0645\u0644\u0629 \u0645\u0633\u0628\u0642\u0627\u064b<\/h3>\n
# JIT injection: fetch the secret only when needed\n- name: Get database credentials\n run: |\n DB_CREDS=$(vault kv get -format=json secret\/data\/myapp\/db)\n export DB_USER=$(echo $DB_CREDS | jq -r '.data.data.username')\n export DB_PASS=$(echo $DB_CREDS | jq -r '.data.data.password')\n .\/run-migrations.sh<\/code><\/pre>\n\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0645\u064f\u062e\u0641\u0627\u0629 \u0645\u0642\u0627\u0628\u0644 \u0627\u0644\u0645\u0634\u0641\u0631\u0629<\/h3>\n
\u062f\u0645\u062c HashiCorp Vault \u0645\u0639 CI\/CD<\/h2>\n
\u0645\u0635\u0627\u062f\u0642\u0629 Vault AppRole \u0644\u0639\u064f\u0642\u062f CI<\/h3>\n
# Enable AppRole auth method\nvault auth enable approle\n\n# Create a policy for CI\nvault policy write ci-deploy - <<EOF\npath \"secret\/data\/myapp\/*\" {\n capabilities = [\"read\"]\n}\npath \"database\/creds\/myapp-role\" {\n capabilities = [\"read\"]\n}\nEOF\n\n# Create an AppRole with the CI policy\nvault write auth\/approle\/role\/ci-deploy \\\n token_policies=\"ci-deploy\" \\\n token_ttl=15m \\\n token_max_ttl=30m \\\n secret_id_ttl=10m \\\n secret_id_num_uses=1\n\n# Retrieve the Role ID (store in CI platform as a non-sensitive variable)\nvault read auth\/approle\/role\/ci-deploy\/role-id\n\n# Generate a single-use Secret ID (store in CI platform as a secret)\nvault write -f auth\/approle\/role\/ci-deploy\/secret-id<\/code><\/pre>\n\u0645\u0635\u0627\u062f\u0642\u0629 Vault JWT\/OIDC \u0645\u0639 GitHub Actions<\/h3>\n
# Configure Vault JWT auth for GitHub Actions\nvault auth enable jwt\n\nvault write auth\/jwt\/config \\\n bound_issuer=\"https:\/\/token.actions.githubusercontent.com\" \\\n oidc_discovery_url=\"https:\/\/token.actions.githubusercontent.com\"\n\n# Create a role that binds to a specific repo and branch\nvault write auth\/jwt\/role\/github-deploy \\\n role_type=\"jwt\" \\\n bound_audiences=\"https:\/\/github.com\/my-org\" \\\n bound_claims_type=\"glob\" \\\n bound_claims='{\"sub\": \"repo:my-org\/my-repo:ref:refs\/heads\/main\"}' \\\n user_claim=\"repository_owner\" \\\n token_policies=\"ci-deploy\" \\\n token_ttl=\"10m\"<\/code><\/pre>\nhashicorp\/vault-action<\/code>:<\/p>\njobs:\n deploy:\n runs-on: ubuntu-latest\n permissions:\n id-token: write\n contents: read\n steps:\n - name: Import secrets from Vault\n uses: hashicorp\/vault-action@v3\n with:\n url: https:\/\/vault.mycompany.com\n method: jwt\n role: github-deploy\n jwtGithubAudience: https:\/\/github.com\/my-org\n secrets: |\n secret\/data\/myapp\/db username | DB_USER ;\n secret\/data\/myapp\/db password | DB_PASS\n\n - name: Run deployment\n run: |\n echo \"Deploying with fetched credentials\"\n .\/deploy.sh<\/code><\/pre>\n\u0645\u0635\u0627\u062f\u0642\u0629 Vault JWT \u0645\u0639 GitLab CI<\/h3>\n
id_tokens<\/code>. \u064a\u0645\u0643\u0646 \u0644\u0640 GitLab \u0625\u0646\u0634\u0627\u0621 \u0631\u0645\u0632 JWT \u064a\u062a\u062d\u0642\u0642 \u0645\u0646\u0647 Vault\u060c \u0639\u0644\u0649 \u063a\u0631\u0627\u0631 \u0646\u0647\u062c GitHub Actions.<\/p>\n# Configure Vault for GitLab JWT auth\nvault auth enable -path=gitlab jwt\n\nvault write auth\/gitlab\/config \\\n bound_issuer=\"https:\/\/gitlab.com\" \\\n jwks_url=\"https:\/\/gitlab.com\/-\/jwks\" \\\n supported_algs=\"RS256\"\n\nvault write auth\/gitlab\/role\/gitlab-deploy \\\n role_type=\"jwt\" \\\n bound_claims='{\"project_id\": \"12345\", \"ref_protected\": \"true\"}' \\\n user_claim=\"user_email\" \\\n token_policies=\"ci-deploy\" \\\n token_ttl=\"10m\"<\/code><\/pre>\n.gitlab-ci.yml<\/code> \u0627\u0644\u062e\u0627\u0635 \u0628\u0643:<\/p>\ndeploy:\n stage: deploy\n id_tokens:\n VAULT_ID_TOKEN:\n aud: https:\/\/vault.mycompany.com\n secrets:\n DB_USER:\n vault: myapp\/db\/username@secret\n token: $VAULT_ID_TOKEN\n DB_PASS:\n vault: myapp\/db\/password@secret\n token: $VAULT_ID_TOKEN\n script:\n - .\/deploy.sh<\/code><\/pre>\n\u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629<\/h3>\n
# Enable the database secrets engine\nvault secrets enable database\n\n# Configure a PostgreSQL connection\nvault write database\/config\/myapp-db \\\n plugin_name=postgresql-database-plugin \\\n connection_url=\"postgresql:\/\/{{username}}:{{password}}@db.mycompany.com:5432\/myapp\" \\\n allowed_roles=\"myapp-role\" \\\n username=\"vault_admin\" \\\n password=\"vault_admin_password\"\n\n# Create a role that generates credentials with a 1-hour TTL\nvault write database\/roles\/myapp-role \\\n db_name=myapp-db \\\n creation_statements=\"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO \\\"{{name}}\\\";\" \\\n default_ttl=\"1h\" \\\n max_ttl=\"2h\"\n\n# In your pipeline, fetch dynamic credentials\n# vault read database\/creds\/myapp-role\n# Returns a unique username\/password pair valid for 1 hour<\/code><\/pre>\n\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0648\u0647\u0648\u064a\u0629 \u0623\u062d\u0645\u0627\u0644 \u0627\u0644\u0639\u0645\u0644<\/h2>\n
GitHub Actions OIDC \u0645\u0639 AWS<\/h3>\n
# First, create an OIDC identity provider in AWS (via Terraform)\nresource \"aws_iam_openid_connect_provider\" \"github\" {\n url = \"https:\/\/token.actions.githubusercontent.com\"\n client_id_list = [\"sts.amazonaws.com\"]\n thumbprint_list = [\"6938fd4d98bab03faadb97b34396831e3780aea1\"]\n}\n\n# Create an IAM role that GitHub Actions can assume\nresource \"aws_iam_role\" \"github_actions\" {\n name = \"github-actions-deploy\"\n\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Principal = {\n Federated = aws_iam_openid_connect_provider.github.arn\n }\n Action = \"sts:AssumeRoleWithWebIdentity\"\n Condition = {\n StringEquals = {\n \"token.actions.githubusercontent.com:aud\" = \"sts.amazonaws.com\"\n }\n StringLike = {\n \"token.actions.githubusercontent.com:sub\" = \"repo:my-org\/my-repo:ref:refs\/heads\/main\"\n }\n }\n }]\n })\n}<\/code><\/pre>\n# GitHub Actions workflow using OIDC\njobs:\n deploy:\n runs-on: ubuntu-latest\n permissions:\n id-token: write\n contents: read\n steps:\n - uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role\/github-actions-deploy\n aws-region: us-east-1\n role-duration-seconds: 900 # 15 minutes\n\n - name: Deploy\n run: aws s3 sync .\/build s3:\/\/my-bucket<\/code><\/pre>\nGitHub Actions OIDC \u0645\u0639 GCP<\/h3>\n
# Create a Workload Identity Pool and Provider (gcloud CLI)\ngcloud iam workload-identity-pools create \"github-pool\" \\\n --project=\"my-project\" \\\n --location=\"global\" \\\n --display-name=\"GitHub Actions Pool\"\n\ngcloud iam workload-identity-pools providers create-oidc \"github-provider\" \\\n --project=\"my-project\" \\\n --location=\"global\" \\\n --workload-identity-pool=\"github-pool\" \\\n --display-name=\"GitHub Provider\" \\\n --attribute-mapping=\"google.subject=assertion.sub,attribute.repository=assertion.repository\" \\\n --attribute-condition=\"assertion.repository_owner == 'my-org'\" \\\n --issuer-uri=\"https:\/\/token.actions.githubusercontent.com\"\n\n# Grant the Workload Identity the ability to impersonate a service account\ngcloud iam service-accounts add-iam-policy-binding \\\n deploy-sa@my-project.iam.gserviceaccount.com \\\n --role=\"roles\/iam.workloadIdentityUser\" \\\n --member=\"principalSet:\/\/iam.googleapis.com\/projects\/123456\/locations\/global\/workloadIdentityPools\/github-pool\/attribute.repository\/my-org\/my-repo\"<\/code><\/pre>\n# GitHub Actions workflow for GCP\njobs:\n deploy:\n runs-on: ubuntu-latest\n permissions:\n id-token: write\n contents: read\n steps:\n - uses: google-github-actions\/auth@v2\n with:\n workload_identity_provider: projects\/123456\/locations\/global\/workloadIdentityPools\/github-pool\/providers\/github-provider\n service_account: deploy-sa@my-project.iam.gserviceaccount.com\n\n - name: Deploy to Cloud Run\n run: gcloud run deploy my-service --image=gcr.io\/my-project\/my-app:latest<\/code><\/pre>\n\u0627\u062a\u062d\u0627\u062f OIDC \u0641\u064a GitLab CI<\/h3>\n
# GitLab CI with AWS OIDC\nassume_role:\n stage: deploy\n id_tokens:\n AWS_OIDC_TOKEN:\n aud: https:\/\/sts.amazonaws.com\n script:\n - >\n STS_CREDS=$(aws sts assume-role-with-web-identity\n --role-arn arn:aws:iam::123456789012:role\/gitlab-deploy\n --role-session-name \"gitlab-ci-${CI_PIPELINE_ID}\"\n --web-identity-token \"${AWS_OIDC_TOKEN}\"\n --duration-seconds 900)\n - export AWS_ACCESS_KEY_ID=$(echo $STS_CREDS | jq -r '.Credentials.AccessKeyId')\n - export AWS_SECRET_ACCESS_KEY=$(echo $STS_CREDS | jq -r '.Credentials.SecretAccessKey')\n - export AWS_SESSION_TOKEN=$(echo $STS_CREDS | jq -r '.Credentials.SessionToken')\n - aws s3 sync .\/build s3:\/\/my-bucket<\/code><\/pre>\n\u0644\u0645\u0627\u0630\u0627 \u062a\u062a\u0641\u0648\u0642 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631<\/h3>\n
\n
\u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0645\u0636\u0627\u062f\u0629 \u0627\u0644\u062a\u064a \u064a\u062c\u0628 \u062a\u062c\u0646\u0628\u0647\u0627<\/h2>\n
\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0631\u0645\u0648\u0632 \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0634\u062e\u0635\u064a\u0629 \u0641\u064a CI<\/h3>\n
\u0645\u0634\u0627\u0631\u0643\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0639\u0628\u0631 \u0627\u0644\u0628\u064a\u0626\u0627\u062a<\/h3>\n
\u0639\u062f\u0645 \u062a\u062f\u0648\u064a\u0631 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0628\u0639\u062f \u0627\u0644\u0643\u0634\u0641<\/h3>\n
\u0627\u0644\u0648\u062b\u0648\u0642 \u0628\u0640 pull_request_target \u0645\u0639 \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/h3>\n
pull_request_target<\/code> \u0641\u064a GitHub Actions \u0641\u064a \u0633\u064a\u0627\u0642 \u0627\u0644\u0641\u0631\u0639 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u060c \u0645\u0645\u0627 \u064a\u0639\u0646\u064a \u0623\u0646\u0647 \u064a\u0645\u062a\u0644\u0643 \u0648\u0635\u0648\u0644\u0627\u064b \u0625\u0644\u0649 \u0627\u0644\u0623\u0633\u0631\u0627\u0631. \u0647\u0630\u0627 \u0645\u064f\u0635\u0645\u0645 \u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0622\u0645\u0646\u0629 \u0645\u062b\u0644 \u062a\u0635\u0646\u064a\u0641 \u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0633\u062d\u0628. \u0648\u0645\u0639 \u0630\u0644\u0643\u060c \u0625\u0630\u0627 \u0642\u0627\u0645 \u0633\u064a\u0631 \u0639\u0645\u0644\u0643 \u0628\u0633\u062d\u0628 \u0645\u0631\u062c\u0639 \u0631\u0623\u0633 \u0637\u0644\u0628 \u0627\u0644\u0633\u062d\u0628 \u0648\u062a\u0634\u063a\u064a\u0644 \u0630\u0644\u0643 \u0627\u0644\u0643\u0648\u062f\u060c \u0641\u0642\u062f \u0645\u0646\u062d\u062a \u0645\u0633\u0627\u0647\u0645\u0627\u064b \u062e\u0627\u0631\u062c\u064a\u0627\u064b \u0648\u0635\u0648\u0644\u0627\u064b \u0643\u0627\u0645\u0644\u0627\u064b \u0625\u0644\u0649 \u0623\u0633\u0631\u0627\u0631\u0643.<\/p>\n# DANGEROUS: This gives the PR author access to all repository secrets\non: pull_request_target\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n with:\n ref: ${{ github.event.pull_request.head.sha }} # Checking out untrusted code!\n - run: make test # Running untrusted code with access to secrets!<\/code><\/pre>\npull_request_target<\/code>. \u0625\u0630\u0627 \u0643\u0646\u062a \u0628\u062d\u0627\u062c\u0629 \u0644\u062a\u0634\u063a\u064a\u0644 \u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a \u0639\u0644\u0649 \u0643\u0648\u062f \u0637\u0644\u0628 \u0627\u0644\u0633\u062d\u0628 \u0645\u0639 \u0627\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u0646\u0647\u062c \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u0632\u062f\u0648\u062c: \u0634\u063a\u0651\u0644 \u0627\u0644\u0643\u0648\u062f \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u062b\u0648\u0642 \u0641\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 pull_request<\/code> (\u0628\u062f\u0648\u0646 \u0623\u0633\u0631\u0627\u0631)\u060c \u062b\u0645 \u0627\u0633\u062a\u062e\u062f\u0645 \u0645\u0634\u063a\u0644 workflow_run<\/code> \u0645\u0646\u0641\u0635\u0644 \u0644\u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0645\u0648\u062b\u0648\u0642\u0629.<\/p>\n\u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0637\u0628\u0642\u0627\u062a: \u0646\u0647\u062c \u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0645\u0633\u062a\u0648\u064a\u0627\u062a<\/h2>\n
\u0641\u062d\u0635 \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/h3>\n
\n
gitleaks<\/code> \u0623\u0648 detect-secrets<\/code> \u0643\u062e\u0637\u0627\u0641\u0627\u062a pre-commit \u0644\u0645\u0646\u0639 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0645\u0646 \u0627\u0644\u062f\u062e\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0623\u0635\u0644\u0627\u064b.<\/li>\ntrufflehog<\/code> \u0641\u062d\u0635 \u0627\u0644\u0641\u0631\u0648\u0642\u0627\u062a \u0648\u0633\u062c\u0644 \u0627\u0644\u0640 commits \u0648\u062d\u062a\u0649 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062b\u0646\u0627\u0626\u064a\u0629.<\/li>\n# Pre-commit hook with gitleaks\n# .pre-commit-config.yaml\nrepos:\n - repo: https:\/\/github.com\/gitleaks\/gitleaks\n rev: v8.21.2\n hooks:\n - id: gitleaks<\/code><\/pre>\n# In-pipeline scanning with trufflehog\n- name: Scan for secrets\n run: |\n docker run --rm -v \"$PWD:\/repo\" trufflesecurity\/trufflehog:latest \\\n git file:\/\/\/repo --only-verified --fail<\/code><\/pre>\n\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0644\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0623\u0633\u0631\u0627\u0631<\/h3>\n
# Enable Vault audit logging\nvault audit enable file file_path=\/var\/log\/vault\/audit.log\n\n# Each access generates a log entry like:\n# {\"type\": \"response\", \"auth\": {\"token_type\": \"service\", \"policies\": [\"ci-deploy\"]},\n# \"request\": {\"path\": \"secret\/data\/myapp\/db\", \"operation\": \"read\"}, ...}<\/code><\/pre>\n\u062a\u0637\u0628\u064a\u0642 \u0645\u0628\u062f\u0623 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a<\/h3>\n
\n
# Vault policy: minimal access for a specific microservice's CI\npath \"secret\/data\/payments-service\/production\" {\n capabilities = [\"read\"]\n}\n\n# Deny access to everything else by default (Vault's default behavior)\n# No wildcards, no broad paths<\/code><\/pre>\n\u0627\u0644\u062a\u062f\u0648\u064a\u0631 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a<\/h3>\n
\n
# AWS Secrets Manager: configure automatic rotation\naws secretsmanager rotate-secret \\\n --secret-id myapp\/api-key \\\n --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:rotate-api-key \\\n --rotation-rules '{\"ScheduleExpression\": \"rate(30 days)\"}'<\/code><\/pre>\n\u0627\u0644\u062e\u0644\u0627\u0635\u0629: \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0639\u0645\u0644\u064a\u0629 \u0645\u0633\u062a\u0645\u0631\u0629<\/h2>\n