Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ground Controller Lvl 1
Message 1 of 2

Support for Protected Secrets

When using Github Actions for Continuous Deployment, it seems as though any colaborator on the team could work around the system in the following ways:

 

  1. Trigger a deployment by simply creating a change to the workflow file that executes the deployment on their branch that they are pushing, rather than the deployment branch. This will run as soon as they push the code, bypassing any branch protections on the deployment branch.
  2. Steal the deployment secrets by sending them somewhere by modyfing the workflow file and pushing their code.

 

An obvious solution would be to implement "Protected Secrets" with a checkbox much like Gitlab does for "Protected environment variables"... "Protected Secrets" would only be passed to actions running on protected branches.

1 Reply
Highlighted
GitHub Partner
Message 2 of 2

Re: Support for Protected Secrets

For your first scenario, if you use on: push in your workflow file on non-deployment branches , it will be triggered when you push the change. You could use paths ignore to exclude changes of workflow file . https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-...

For the second one, you could share your idea in the Feedback form for GitHub Actions.