Workflow_dispatch by Admins only on main branch

I have a private org repo with hired consultants working on the code base with Action-based deployment to Azure.

It is unclear to me what settings I need to make it so that only Repo Admins can manually trigger the deployment action and only using the definition in the main branch. I have branch protection that requires Admin to merge to main (I think, although GitHub makes this enforcement awkward and uncertain too).

It’s hard to see what the consultants can do because of limited user accounts I have available to experiment with, but it seems to me that because the Action is on: workflow_dispatch, the developers working on their own branch are able to run the Action any time they want. I think they can also modify the Action definition in their branch and use the manual-trigger Action UI to run the action definition that they’ve modified in their branch instead of the definition in main - and that could potentially be used to leak out the secrets or other bad things.

Does GitHub offer strong security configuration for this typical need, external developers or not?

Thanks!

1 Like

Hi Jason!

You are on the right track with the use of protected branches. One way that you can protect deployments with Github Actions is through the use of Environments (Environments - GitHub Docs)

You can set up an environment called “Production”, or something similar, and you can set up deployment branches (Environments - GitHub Docs) which you can configure to only allow deploys from specific branches or branches named using a particular pattern (similar to branch protection rule settings).

You can also configure GitHub Actions Secrets to be environment-specific, and store your production deployment credentials in Environment Secrets for the Production environment only (Encrypted secrets - GitHub Docs)

This does not preclude someone with access to the repository from running the workflow on a different branch, but what the workflow will actually do can definitely be configured in a way that aligns with what you are looking to accomplish.

I have GitHub Teams for my org but “Environments” doesn’t show up under settings. The documents say that but Environment settings missing - #2 by damianh reflects the reality.