I am looking into ways to make the CircleCI environment variables scope restricted as much as possible. This is partially driven by the Codecov incident earlier this year: https://about.codecov.io/security-update/
CircleCI offers the “context” approach described here: Using Contexts - CircleCI
From what I understand contexts are per job. Is my understanding correct?
I am planning to structure my yaml file so a “step” only have access to environment variable in a need to know basis. For example the Codecov step, which is part of a test job, should only have access to the codecov token. But because the context can be specified per job, it ends up having all the context’s env variables even though it only should have one.
I would also like to separate production and staging related workflows, so tokens cannot be exposed to the other environment.
Any suggestions on how to approach this?