How to Secure Your GitHub Actions

Explore essential strategies for securing GitHub Actions workflows in this comprehensive conference talk. Learn how to manage access control, protect sensitive information, and implement best practices for DevOps security. Discover techniques for safeguarding repository access, managing workflow secrets, and securing self-hosted runners. Examine the importance of containerization, data persistence between runs, and protective measures against potential threats. Gain insights into forking actions, enabling DevOps teams to test actions safely, and maintaining up-to-date workflows through automated processes. Master the art of balancing security with DevOps efficiency in real-world continuous integration and deployment scenarios.

GitHub Actions Security
What are GitHub workflows?
Workflow example
Repository security
Code - Who has access?
Configuring access
From the user
Workflow secrets
Who has access to your secrets?
Your code - Best practices
Your code/repo – trace changes (org level)
Self-hosted runners
Self hosted runners
Workflow Runners Security
Best practice: Run the action inside of a container
Persisting data between runs
Workflow runners - Best practice
Protective measures
Recommendation
Forking actions
Enable DevOps teams to test actions
Staying up to date
Create an update process yourself
Automate the update Use a workflow
Best practices summarized