GitHub Actions is a powerful CI/CD platform, but misconfigurations can lead to secrets exposure and supply chain attacks.
Secure Workflow Configuration
name: Secure Build
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read # Least privilege
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Pin action versions with SHA
- uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
with:
node-version: '20'
- run: npm ci
- run: npm testSecrets Security
- Use environment secrets for sensitive jobs
- Never echo secrets in logs
- Use GitHub's secret scanning
# DANGEROUS - Exposes secrets
- run: echo ${{ secrets.API_KEY }}
# SAFE - Use environment variables
- run: ./deploy.sh
env:
API_KEY: ${{ secrets.API_KEY }}Pull Request Security
Pwn Request Attack
Never use pull_request_target with untrusted code execution. Attackers can modify workflows to steal secrets.
# DANGEROUS - Runs untrusted code with secrets
on: pull_request_target
jobs:
build:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }} # Attacker's code!Best Practices
- Pin actions to full SHA (not tags)
- Use minimum required permissions
- Require approvals for workflow changes
- Use OpenID Connect for cloud deployments
December 2024