Skip to main content

Rotation Checklist

Use this checklist when a secret may be stale, leaked, or due for scheduled rotation.

Steps

  1. Identify the secret name, owning service, and all consumers.
  2. Create the replacement value in the provider or secret manager.
  3. Update Infisical and required GitHub Actions secrets.
  4. Redeploy or restart dependent services.
  5. Validate health checks and application behavior.
  6. Revoke the old value.
  7. Update documentation with the rotation date and owner, never the value.

Extra Care

For bootstrap secrets, verify rollback before revocation. For model provider keys, inspect usage dashboards after rotation to confirm the new key is active.