CI/CD Pipelines: Security, Secrets, and Governance

CI/CD Pipelines•Permalink

Least privilege, OIDC, protected variables, pinning, and release governance for safer pipelines.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

Harden pipeline credentials and permissions

Secure what your pipelines can access and modify.

Use least-privilege permissions in GitHub Actions

Explicitly scope the token for each workflow or job.

↗#

yamlANYpermissionssecuritygithub-actions

yaml

permissions:
  contents: read

Set the default permission level deliberately and elevate only when a job truly needs more access.

Use OIDC instead of long-lived cloud keys

Exchange a short-lived identity token for cloud credentials.

↗#

yamlANYoidcawssecurity

yaml

permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy
      aws-region: us-east-1

OIDC reduces secret sprawl by replacing stored cloud keys with short-lived federated credentials.

Protect production variables in GitLab

Restrict sensitive variables to protected branches or tags.

↗#

yamlANYprotected-variablesgitlab

yaml

deploy_production:
  stage: deploy
  only:
    - main

Pair protected branches/tags with protected variables so untrusted branches cannot access deploy secrets.

Reduce pipeline risk

Pin dependencies, isolate trust, and gate releases.

Pin actions to a version or commit

Avoid floating references for critical workflow dependencies.

↗#

yamlANYpinningactions

yaml

- uses: actions/checkout@v4

Pinning reduces surprise breakage. For higher assurance, pin to a full commit SHA after validation.

Be careful with untrusted pull requests

Avoid exposing secrets to code from forks.

↗#

yamlANYpull_requestforkssecurity

yaml

on:
  pull_request:
    branches: [main]

Treat external contributions as untrusted. Split validation workflows from secret-bearing deploy workflows.

Require approval for production release

Add environment rules or manual gates before prod deploys.

↗#

textANYapprovalproductionsecurity

text

Protect the production environment.
Require reviewers for prod deploy jobs.
Separate CI from production credentials.

Human approval is still one of the most effective controls for high-impact environments.

More in CI/CD Pipelines

CI/CD Pipelines: Debugging and Troubleshooting

Debug logs, common CI/CD failures, strict shell mode, retries, and faster pipeline diagnosis.

CI/CD Pipelines: Monorepos, Templates, and Maintainability

Selective execution, shared scripts, naming, and maintainable organization for growing automation estates.

CI/CD Pipelines: Releases, Rollbacks, and Quality Gates

Tag-based releases, canaries, rollbacks, smoke tests, migrations, and quality checks.

CI/CD Pipelines: Containers, Services, and Environments

Container build/push flows, service dependencies, environment modeling, and deploy snippets.

CI/CD Pipelines: Reuse, Matrix, Cache, and Artifacts

Reusable workflows, matrix builds, caching strategies, and artifacts across common CI/CD systems.

CI/CD Pipelines: Stages and Deployment Patterns

Stage design, promotions, manual approvals, and deployment strategy examples for safer delivery.

Recommended next

No recommendations yet.

Browse all sheets →