From 97556b4ea9b74b1aaf5a5c53d53793e892bf23e0 Mon Sep 17 00:00:00 2001
From: Jack Berg <34418638+jack-berg@users.noreply.github.com>
Date: Thu, 28 May 2026 08:17:43 -0500
Subject: [PATCH] Migrate repository secrets to protected environment secrets

---
 .github/repository-settings.md                       | 12 ++++++++++--
 .github/workflows/build-daily.yml                    |  1 +
 .github/workflows/release.yml                        |  1 +
 .../sonatype-guide-dependency-audit-daily.yml        |  1 +
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/repository-settings.md b/.github/repository-settings.md
index 85b2a9053a4..7eb775b6002 100644
--- a/.github/repository-settings.md
+++ b/.github/repository-settings.md
@@ -4,16 +4,24 @@ This document describes any changes that have been made to the
 settings in this repository outside the settings tracked in the
 private admin repo.
 
-## Secrets and variables > Actions
 
-### Repository secrets
+## Environments
+
+### `protected` environment
+
+Deployment branches: `main`, `release/*`
 
+Secrets:
+
+- `COPILOT_GITHUB_TOKEN` - owned by [@jack-berg](https://github.com/jack-berg)
 - `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
 - `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
 - `SONATYPE_GUIDE_PAT` - owned by [@jack-berg](https://github.com/jack-berg)
 - `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
 - `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
 
+## Secrets and variables > Actions
+
 ### Organization secrets
 
 - `CODECOV_TOKEN`
diff --git a/.github/workflows/build-daily.yml b/.github/workflows/build-daily.yml
index f24f0546ab1..18d028a6850 100644
--- a/.github/workflows/build-daily.yml
+++ b/.github/workflows/build-daily.yml
@@ -14,6 +14,7 @@ jobs:
     uses: ./.github/workflows/reusable-link-check.yml
 
   publish-snapshots:
+    environment: protected
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9dca68f9128..a0d26d5b11c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ permissions:
 
 jobs:
   release:
+    environment: protected
     permissions:
       contents: write # for creating the release
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/sonatype-guide-dependency-audit-daily.yml b/.github/workflows/sonatype-guide-dependency-audit-daily.yml
index 8070d970b16..f7684e37534 100644
--- a/.github/workflows/sonatype-guide-dependency-audit-daily.yml
+++ b/.github/workflows/sonatype-guide-dependency-audit-daily.yml
@@ -12,6 +12,7 @@ permissions:
 
 jobs:
   analyze:
+    environment: protected
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2