Is this an open source repository, where people will be using forks to propose changes to your workflow?
If so, see these docs. The default setting requires approval of workflows to run for all outside collaborators, which means other people won't be able to extract your secrets.
git - Manage secrets in GitHub Actions - Stack Overflow
Access to GitHub secrets requires at least collaborator
access.
Select Yes if the statement is true. Otherwise, select No.
git - Is it okay to use GitHub Secrets with a public repo? - Stack Overflow
Secrets: which permission do my developer needs and is there a "service account"?
Yes, secrets are safe to use in public repositories but there are some things you should be careful about.
All secrets are automatically masked in build logs and show as
***. However, if during your workflow you create a sensitive credential from a secret (e.g. base64 an API key) then you should mask the new value so it doesn't leak in the build log.echo "::add-mask::My sensitive value"If you are very concerned about the security of your secrets, I would also suggest not using third party GitHub actions directly by following the action's tags or branches. Fork the action and use your fork in workflows. This will prevent the possibility of someone modifying an action you are using to capture secrets being used by the action, and send them to some external server under their control.
Alternatively, use the action directly and reference the commit hash for the version you want to target.
- uses: thirdparty/foo-action@172ec762f2ac8e050062398456fccd30444f8f30Use two-factor authentication (2FA) on your account. If your account is compromised, it's trivial for an attacker to create a workflow and export your secrets.
Repository collaborators or any organization users with
writeaccess are able to create a workflow to export secrets. So manage access to your repository carefully.
Points related to pull requests:
- Public repository
pull_requestevents triggered by forks do not have access to secrets, except for the defaultGITHUB_TOKEN. Additionally, TheGITHUB_TOKENhas read-only access when an event is triggered by a forked repository. These are intentional restrictions enforced by GitHub Actions to prevent an attacker creating a pull request containing a workflow that captures secrets, or uses secrets to perform operations. - The
pull_request_targetevent does not have secret restrictions for events triggered by forks. By default it checks out the last commit on the base branch, but it is possible to checkout the pull request HEAD. Choosing to do this requires extreme caution. Passing secrets to any code that could be modified in a pull request could allow an attacker to write code to export secrets.
Yes, it appears so. According to Github, you have organization-level access control policies to who can access your secrets.
For secrets stored at the organization-level, you can use access policies to control which repositories can use organization secrets. Organization-level secrets let you share secrets between multiple repositories, which reduces the need for creating duplicate secrets. Updating an organization secret in one location also ensures that the change takes effect in all repository workflows that use that secret.
Whether the repository is public or private does not affect this, and that makes sense. Public projects need secrets, too.
Hello,
experimenting with Actions and secrets to push docker containers in AWS EC2...
my developer asked me to elevate his role to "admin", because as "writer" he could not use the secrets....
questions:
-
which role shoucl an account who uses the secret have?
-
is there something similar to IAM in AWS that instead to use a user account I create a role/policy to use the secret?
thank you all
I have a free GitHub account. I have a private repo with two external collaborators. I would like to add a secret to the private repo. If I do this will the two collaborators be able to see the secret?