Cheat Sheet logoCheat Sheet Today

CI/CD Pipelines: Security, Secrets, and Governance

CI/CD PipelinesPermalink

Least privilege, OIDC, protected variables, pinning, and release governance for safer pipelines.

Sign in to save
View
StandardDetailedCompact
Export
Copy the compact sheet, download it, or print it.
Download
`D` dense toggle · `C` copy all
## Harden pipeline credentials and permissions
Use least-privilege permissions in GitHub Actions
#
permissions:
  contents: read

# Explicitly scope the token for each workflow or job.

Use OIDC instead of long-lived cloud keys
#
permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy
      aws-region: us-east-1

# Exchange a short-lived identity token for cloud credentials.

Protect production variables in GitLab
#
deploy_production:
  stage: deploy
  only:
    - main

# Restrict sensitive variables to protected branches or tags.

## Reduce pipeline risk
Pin actions to a version or commit
#
- uses: actions/checkout@v4

# Avoid floating references for critical workflow dependencies.

Be careful with untrusted pull requests
#
on:
  pull_request:
    branches: [main]

# Avoid exposing secrets to code from forks.

Require approval for production release
#
Protect the production environment.
Require reviewers for prod deploy jobs.
Separate CI from production credentials.

# Add environment rules or manual gates before prod deploys.

More in CI/CD Pipelines

CI/CD Pipelines: Debugging and Troubleshooting
Debug logs, common CI/CD failures, strict shell mode, retries, and faster pipeline diagnosis.
CI/CD Pipelines: Monorepos, Templates, and Maintainability
Selective execution, shared scripts, naming, and maintainable organization for growing automation estates.
CI/CD Pipelines: Releases, Rollbacks, and Quality Gates
Tag-based releases, canaries, rollbacks, smoke tests, migrations, and quality checks.
CI/CD Pipelines: Containers, Services, and Environments
Container build/push flows, service dependencies, environment modeling, and deploy snippets.
CI/CD Pipelines: Reuse, Matrix, Cache, and Artifacts
Reusable workflows, matrix builds, caching strategies, and artifacts across common CI/CD systems.
CI/CD Pipelines: Stages and Deployment Patterns
Stage design, promotions, manual approvals, and deployment strategy examples for safer delivery.

Recommended next

No recommendations yet.
Browse all sheets →