Before using secrets in CI/CD workflows that can be triggered by external contributors (forks, dependabot), assess the "blast radius" of potential secret compromise. Differentiate between high-risk secrets that provide infrastructure access and limited-scope secrets with constrained permissions.
Before using secrets in CI/CD workflows that can be triggered by external contributors (forks, dependabot), assess the “blast radius” of potential secret compromise. Differentiate between high-risk secrets that provide infrastructure access and limited-scope secrets with constrained permissions.
High-risk secrets (avoid in external-triggerable workflows):
Limited-scope secrets (may be acceptable with proper controls):
Example from workflow configuration:
# Acceptable: Chromatic token only allows snapshot uploads
- name: Run Chromatic
uses: chromaui/action@latest
with:
projectToken: $
Always implement additional safeguards like requiring approval for external PR workflows, and document the security tradeoffs when using any secrets in publicly-triggerable workflows.
Enter the URL of a public GitHub repository