Secure Runtime

May 10, 2026 ยท View on GitHub

This document describes secure runtime practices for Hex registry infrastructure.

Deployment Controls

Deployments are triggered via a Slack bot by authorized operators. The bot initiates a CI pipeline (GitHub Actions) that builds Docker images and applies Kubernetes manifests. Deployments are only automatically applied from the main branch; other branches are validated but not deployed. The bot monitors rollout progress (pod readiness) in real time and reports status back to Slack. Rollbacks are performed manually by redeploying a previous commit via the same mechanism. Concurrency controls prevent simultaneous deployments to the same environment.

Secrets Management

In Development

PracticeStatus
No secrets in source codeEnforced
Environment-based configurationImplemented
Separate credentials per environmentImplemented

In CI/CD

SecretStorageAccess
GCP service account (application repos)None in repo secretsOIDC workload identity
GCP service account (infrastructure repo)GitHub secrets (long-lived JSON key)Direct credential, scoped per environment
Database credentialsRuntime secretsProduction only

Production

AspectImplementation
Secrets storageEncrypted with GCP KMS, stored in infrastructure config
Application repo CI accessOIDC workload identity federation (no long-lived keys)
Infrastructure repo CI accessLong-lived service account key in GitHub Actions secrets, scoped per environment
Environment isolationSeparate credentials for staging and production

Service Ownership

Response Team

Incident response roles:

RoleResponsibility
Security leadTriage and coordination
DevelopmentFix implementation
OperationsDeployment and monitoring

Monitoring

Health and Availability

ActivityPurpose
Health checksVerify service availability
Uptime monitoringTrack service availability

Error Tracking

ActivityPurpose
Error monitoringSentry integration
AlertingNotification on anomalies

Metrics

ActivityPurpose
TelemetryPerformance and usage metrics
LoggingAudit trail and debugging