Least privilege, OIDC, protected variables, pinning, and release governance for safer pipelines.
Secure what your pipelines can access and modify.
Explicitly scope the token for each workflow or job.
permissions:
contents: readSet the default permission level deliberately and elevate only when a job truly needs more access.
Exchange a short-lived identity token for cloud credentials.
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy
aws-region: us-east-1OIDC reduces secret sprawl by replacing stored cloud keys with short-lived federated credentials.
Restrict sensitive variables to protected branches or tags.
deploy_production:
stage: deploy
only:
- mainPair protected branches/tags with protected variables so untrusted branches cannot access deploy secrets.
Pin dependencies, isolate trust, and gate releases.
Avoid floating references for critical workflow dependencies.
- uses: actions/checkout@v4Pinning reduces surprise breakage. For higher assurance, pin to a full commit SHA after validation.
Avoid exposing secrets to code from forks.
on:
pull_request:
branches: [main]Treat external contributions as untrusted. Split validation workflows from secret-bearing deploy workflows.
Add environment rules or manual gates before prod deploys.
Protect the production environment.
Require reviewers for prod deploy jobs.
Separate CI from production credentials.Human approval is still one of the most effective controls for high-impact environments.