Include references to secret management systems

carturoch · carturoch · commit 607068970096 · 2023-03-28T11:39:07.000-04:00
diff --git a/Readme.md b/Readme.md
@@ -1,6 +1,6 @@
 # Sample GitHub App
 
-Minimal example of a GitHub App using [octokit.js](https://github.com/octokit/octokit.js).
+Example of an integration via GitHub App using [octokit.js](https://github.com/octokit/octokit.js).
 
 ## Requirements
 
@@ -9,7 +9,8 @@ Minimal example of a GitHub App using [octokit.js](https://github.com/octokit/oc
   - Pull requests: Read & write
   - Metadata: Read-only
 - (For local development) A tunnel to expose your local server to the internet (e.g. [smee](https://smee.io/), [ngrok](https://ngrok.com/) or [cloudflared](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/))
-  
+- Your GitHub App Webhook must be configured to receive events at a URL that is accessible from the internet.
+
 ## Setup
 
 1. Clone this repository.
@@ -29,3 +30,14 @@ the corresponding Webhook [payload](https://docs.github.com/webhooks-and-events/
 The server in this example listens for `pull_request.opened` events and acts on
 them by creating a comment on the pull request, with the message in `message.md`,
 using the [octokit.js rest methods](https://github.com/octokit/octokit.js#octokitrest-endpoint-methods).
+
+## Security considerations
+
+To keep things simple, this example reads the `GITHUB_APP_PRIVATE_KEY` from the
+environment. A more secure and recommended approach is to use a secrets management system
+like [Vault](https://www.vaultproject.io/use-cases/key-management), or one offered
+by major cloud providers:
+[Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-node?tabs=windows),
+[AWS Secrets Manager](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-secrets-manager/),
+[Google Secret Manager](https://cloud.google.com/nodejs/docs/reference/secret-manager/latest),
+etc.
