Github Actions Security Secrets Forks

CICD as a Code created whole new challenges. Security is among them.
Right now "Send secrets to workflows from fork pull requests. " is checked by default. With third-party fork and change in “.github/worflow” files to dump secrets in console it is so easy to steal secrets. Moreover, with PR and fork removal any trace of this activity is gone.
This is serious vulnerability. Here are the proposals (by priority and ease of implement)

  1. Make "Send secrets to workflows from fork pull requests. " be unchecked by default
  2. Do not allow to change “.github/worflow” files from forks. Forks are rarely changing CICD. If they want to change it, they will have to use issues or other ways to communicate this change
  3. Mask secrets anywhere anytime. There are still plenty of shell script that allow to dump secrets, pass them from step to step unmasked, etc

Thanks for the feedback!

GitHub Actions improvements for fork and pull request workflows | The GitHub Blog

We also have various suggestions/guidance at Keeping your GitHub Actions and workflows secure: Preventing pwn requests | GitHub Security Lab

By default, we don’t allow running workflows from forks , so we believe this will get us to the default secured state and provides opt-in for users. Thanks for the feedback!