How we manage CI sensitive data for our Open Source deployment Engine

Qovery is developing an open-source project called "Qovery Engine," hosted on GitHub, which facilitates the deployment of Kubernetes infrastructure, managed cloud services, and containers on various cloud providers. The project employs a multifaceted testing approach, including unit, functional, and end-to-end tests, to ensure its reliability and functionality. Due to security concerns, some tests cannot be run publicly, leading to the use of self-hosted runners and a secure management system for sensitive data, such as passwords and tokens, stored in a Vault cluster. While GitHub Actions handle unit tests and linter checks, functional tests are managed through Gitlab pipelines, ensuring that only authorized members of the GitHub Qovery organization can execute them. This setup provides a balance between security and open-source collaboration by allowing public contributions while protecting sensitive information through selective test access and the use of GitHub labels to filter specific tests. The implementation of these security measures and testing processes has been a complex but necessary tradeoff to maintain the integrity and functionality of the Qovery Engine project.