ADR-005: 1Password + GitHub Actions
Publishable summary of this architecture decision.
Decision
Use 1Password as the secrets source, with Service Accounts for CI and 1Password Connect on servers when needed.
| Context | Mechanism |
|---|---|
| GitHub Actions | project-scoped or shared Service Account |
| EC2/Docker servers | co-located 1Password Connect |
| Shared secrets | controlled CI-* vaults |
| Project secrets | project-specific Service Account and vault |
Publishable docs must never expose secrets, tokenized origins, sensitive hosts, or unnecessary operational paths.