Overview
Syllabus
GitHub Actions Security
What are GitHub workflows?
Workflow example
Repository security
Code - Who has access?
Configuring access
From the user
Workflow secrets
Who has access to your secrets?
Your code - Best practices
Your code/repo – trace changes (org level)
Self-hosted runners
Self hosted runners
Workflow Runners Security
Best practice: Run the action inside of a container
Persisting data between runs
Workflow runners - Best practice
Protective measures
Recommendation
Forking actions
Enable DevOps teams to test actions
Staying up to date
Create an update process yourself
Automate the update Use a workflow
Best practices summarized
Taught by
NDC Conferences