2.0 KiB · text 5af55d9
defmodule GitGud.Repo.Migrations.CreateSecretsAndVars do
use Ecto.Migration
def change do
# Encrypted at rest. The plaintext is never persisted; we keep the
# AES-GCM ciphertext + IV + tag plus the key id used to encrypt
# (so future key rotation can identify rows to re-wrap).
create table(:repository_secrets) do
add :repository_id, references(:repositories, on_delete: :delete_all), null: false
add :name, :string, null: false, size: 100
add :ciphertext, :binary, null: false
add :iv, :binary, null: false
add :tag, :binary, null: false
add :key_id, :string, null: false, default: "default"
timestamps(type: :utc_datetime)
end
create unique_index(:repository_secrets, [:repository_id, :name])
create table(:organization_secrets) do
add :organization_id, references(:organizations, on_delete: :delete_all), null: false
add :name, :string, null: false, size: 100
add :ciphertext, :binary, null: false
add :iv, :binary, null: false
add :tag, :binary, null: false
add :key_id, :string, null: false, default: "default"
timestamps(type: :utc_datetime)
end
create unique_index(:organization_secrets, [:organization_id, :name])
# Variables are plaintext — they're not sensitive (think env var
# defaults the user wants to share).
create table(:repository_variables) do
add :repository_id, references(:repositories, on_delete: :delete_all), null: false
add :name, :string, null: false, size: 100
add :value, :text, null: false, default: ""
timestamps(type: :utc_datetime)
end
create unique_index(:repository_variables, [:repository_id, :name])
create table(:organization_variables) do
add :organization_id, references(:organizations, on_delete: :delete_all), null: false
add :name, :string, null: false, size: 100
add :value, :text, null: false, default: ""
timestamps(type: :utc_datetime)
end
create unique_index(:organization_variables, [:organization_id, :name])
end
end