Best way to prevent access to deploy keys and secrets used on CI machines?


We have a few items necessary to deploy our application that are not allowed to be handled by all developers, even though they may have access to the source code for the particular repo, namely:

Signing certificates/private keys
Certain Github API tokens

We’d like to fully automate our continuous delivery, but since any developer has SSH access to all machines, we can’t put any of those on the CI machines due to the enterprise security controls.

One possibility would be to create an entirely separate repo hooked up to CircleCI that we manage access control around, and use that repo solely for deploys and deployment scripts, but that’s an unwieldy process to manage and set up.

Is there any way to either restrict SSH access to certain workflows/jobs only to people who are authorized, or just any way to set up the secrets on the machines such that they are inaccessible to developers who are not supposed to have access to these?