Limit secrets to specific branches

Hello there,

We are just starting to use GitHub actions for deploys, but have a security concern: is it possible to only allows actions with secrets to run on specific branches?

Right now anyone with write access is able to push a new workflow and make use of the secret keys, on any branch, and therefore have the ability to deploy to production even without write access to master.


1 Like

Hi @joedelia , 

Currently, secrets are not restricted to be used for non-default branches.

I have found an existing customer feedback in our internal channel asking for “Branch-scoped Secrets”.

I would recommend you sharing your sceanrio and idea in the Feedback form for GitHub Actions.  This will be conducive to increate the priority of this feature. Thank you for your understanding . 

Perhaps a more flexible model would be limiting secrets to specific workflows, controlled outside of git (e.g. associated with the secret itself).

This would make it safer to have things like comment-based workflows inside public repos. We would not provide secrets to those workflows. It could be made backwards-compatible by making all existing secrets set to “available to any repo workflow”, possibly making that the default in the UI but allowing it to be optionally specified via the API on secret writes.

Org secrets would be trickier, but having this for repo-scoped secrets would be great.