This token is granting each runner privileges to interact with the repository. This is a general security principle for all the credentials used by your workflow, but let’s focus on a GitHub-specific one: the GITHUB_TOKEN. Let’s dive into the best practices: Set minimum scope for credentials This cheat sheet is here to help you mind the risks posed by some GitHub Action workflows, no matter if you are maintaining open-source projects or not. Sounds scary? Maybe, but far from impossible! This is why it is recommended that developers always check the code before downloading new third-party apps and set up billing alerts if necessary to avoid unexpected costs. Nightmare scenario: imagine a malicious GitHub Action stealing secrets passed to the CI is published in the GitHub Marketplace to mine cryptocurrencies. A step can be a shell script or an action, which is a reusable piece of code specially packaged for the GitHub CI ecosystem.īecause GitHub is hosting millions of open-source projects that can be forked and contributed to through pull requests, GitHub Actions security is paramount to prevent supply-chain attacks. For instance, they can be used to format the code, format the PR, sync an issue's comments with another ticketing system’s comments, add the appropriate labels to a new issue, or trigger a full-scale cloud deployment.Ī workflow is made of one or more jobs, which are run inside their own virtual machine or container (a runner), that execute one or more steps. Actions are triggered by GitHub events (a pull request is submitted, an issue is opened, a PR is merged, etc…) and can execute pretty much any command. ![]() ![]() It’s the mechanism used to run workflows from development to production systems. GitHub Actions is GitHub’s CI/Cd service. Example URLs are or # github-server-url: ' ' Scenarios # Default: false submodules: ' ' # Add repository path as safe.directory for Git global config by running `git # config -global -add safe.directory ` # Default: true set-safe-directory: ' ' # The base URL for the GitHub instance that you are trying to clone from, will use # environment defaults to fetch from the same instance that the workflow is # running from unless specified. # When the `ssh-key` input is not provided, SSH URLs beginning with # are converted to HTTPS. # Default: 1 fetch-depth: ' ' # Whether to download Git-LFS files # Default: false lfs: ' ' # Whether to checkout submodules: `true` to checkout submodules or `recursive` to # recursively checkout submodules. 0 indicates all history for all branches and tags. # Default: true sparse-checkout-cone-mode: ' ' # Number of commits to fetch. Each pattern should be separated with # new lines # Default: null sparse-checkout: ' ' # Specifies whether to use cone-mode when doing a sparse checkout. # Default: true ssh-strict: ' ' # Whether to configure the token or SSH key with the local git config # Default: true persist-credentials: ' ' # Relative path under $GITHUB_WORKSPACE to place the repository path: ' ' # Whether to execute `git clean -ffdx & git reset -hard HEAD` before fetching # Default: true clean: ' ' # Do a sparse checkout on given patterns. Use # the input `ssh-known-hosts` to configure additional hosts. When true, adds the options # `StrictHostKe圜hecking=yes` and `CheckHostIP=no` to the SSH command line. ![]() ssh-known-hosts: ' ' # Whether to perform strict host key checking. The public key for is always implicitly # added. The public SSH # keys for a host may be obtained using the utility `ssh-keyscan`. ![]() # () ssh-key: ' ' # Known hosts in addition to the user and global host key database. # We recommend using a service account with the least permissions necessary. The SSH key is configured with the local # git config, which enables your scripts to run authenticated git commands. For example, actions/checkout # Default: $ token: ' ' # SSH key used to fetch the repository.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |