Cheat Sheet logoCheat Sheet Today
CI/CD Pipelines: Security, Secrets, and Governance/Be careful with untrusted pull requests

Avoid exposing secrets to code from forks.

Back to sheetBrowse commands
Sign in to save
Section: Reduce pipeline risk

Be careful with untrusted pull requests

yaml
yaml
on:
  pull_request:
    branches: [main]
Explanation

Treat external contributions as untrusted. Split validation workflows from secret-bearing deploy workflows.

View in sheet →

Learn the surrounding workflow

Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.

Compare commandsView fixes

Related commands

Same sheet · prioritizing Reduce pipeline risk
Require approval for production release
Add environment rules or manual gates before prod deploys.
OpenIn sheettextsame section
Pin actions to a version or commit
Avoid floating references for critical workflow dependencies.
OpenIn sheetyamlsame section
Use least-privilege permissions in GitHub Actions
Explicitly scope the token for each workflow or job.
OpenIn sheetyaml1 tag match
Use OIDC instead of long-lived cloud keys
Exchange a short-lived identity token for cloud credentials.
OpenIn sheetyaml1 tag match
Protect production variables in GitLab
Restrict sensitive variables to protected branches or tags.
OpenIn sheetyaml