I’m evaluting GitHub actions for my project, and I’m currently having some question about security.
This is our current working mode:
- each developer has his own fork of the repo, and once his code is ready for testing, a new pull request to develop branch is created, which triggers an automatic deployment on test environment, under a specific path with the pull request id.
- when the code review is done and the single feature is approved, the pull request is merged to develop together with the other features waiting for be released all together.
- when ready to release, a new pull request is created from develop to master branch, and once merged, this triggers the automatic deployment to production.
Developers have access to test and dev environments, but not to production, neither to the server used to build/deploy.
We are currently evaluating the idea of switching to GitHub actions, and get rid of the server, but now the problem come:
- in order to sobstitute the current server, we need to be able to deploy to test/dev/prod
- to do so, we need to move some secrets to access test/dev/prod configuration (or extra secrets) in the repo
- even tho, developers have no access to the secrets in the repo, they can potentially create a new workflow (or change the content in their branch) which can trigger a deployment to prod instead of test/dev
- even tho they work on their own fork (which do not contains the secrets), when a new PR is created, this can still trigger a deployment, and their workflow can have a different content then the one in master
Is there a way to avoid this?