I have a single tenant setup where I deploy a ECS Fargate cluster/service/task per client.
The projects have a remote DB path/credentials, some Rails secrets, and other per client specific secrets.
And I'm deploying these via GH Actions. The problem is that this feels very insecure, for instance GH sees all the credentials when it's pushing the new task definition.
What's the proper way of doing this without over complicating myself, like trying to create SSM or AWS Secrets and IAM users, etc?
