Remove unnecessary approval gates, custom tokens, and restrictive conditions in CI/CD workflows when existing security measures are sufficient. Over-restrictive workflows create friction without meaningful security benefits.
Remove unnecessary approval gates, custom tokens, and restrictive conditions in CI/CD workflows when existing security measures are sufficient. Over-restrictive workflows create friction without meaningful security benefits.
For example, avoid adding approval requirements when contributor workflows already require approval:
jobs:
preview:
name: Preview
# Remove unnecessary approval check
# if: github.event.review.state == 'APPROVED'
Similarly, use built-in tokens when appropriate instead of custom secrets:
- uses: actions/labeler@v4.3.0
with:
repo-token: $ # Use built-in token
Evaluate each workflow condition to ensure it adds genuine security value rather than just creating additional steps.
Enter the URL of a public GitHub repository