Cheat Sheet logoCheat Sheet Today

GitHub Actions: Secrets, Permissions, Security, and OIDC

GitHub ActionsPermalink

Secure GitHub Actions workflows with permissions, environments, secrets, masking, fork safety, and OpenID Connect for cloud auth.

Sign in to save
View
StandardDetailedCompact
Export
Copy the compact sheet, download it, or print it.
Download
`D` dense toggle · `C` copy all
## Permissions and secrets
Set least-privilege token permissions
#
permissions:
  contents: read

# Limit the default GITHUB_TOKEN scope.

Grant write access only where needed
#
jobs:
  release:
    permissions:
      contents: write

# Elevate token permissions on a specific job.

Expose a secret as an environment variable
#
- name: Login
  env:
    API_TOKEN: ${{ secrets.API_TOKEN }}
  run: ./scripts/login.sh

# Use the `secrets` context in step env.

Mask a dynamic sensitive value
#
echo "::add-mask::$TOKEN"

# Hide a generated or fetched secret from logs.

Use protected environments for deploys
#
jobs:
  deploy:
    environment: production

# Require approval and environment-scoped secrets.

## OIDC and fork safety
Enable OIDC token issuance
#
permissions:
  id-token: write
  contents: read

# Grant `id-token: write` when using cloud federation.

Configure AWS credentials via OIDC
#
- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy
    aws-region: us-east-1

# Use the AWS credentials action without long-lived keys.

Authenticate to Google Cloud with OIDC
#
- uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: projects/123456789/locations/global/workloadIdentityPools/pool/providers/provider
    service_account: deployer@example-project.iam.gserviceaccount.com

# Use workload identity federation for GCP.

Do not expose secrets to untrusted forks
#
on:
  pull_request:

# Avoid unsafe patterns for public repo pull requests.

More in GitHub Actions

GitHub Actions: Debugging, Logs, and Troubleshooting
Debug failing GitHub Actions workflows with log grouping, debug logging, step summaries, shell flags, and common troubleshooting patterns.
GitHub Actions: Runners, Containers, Services, and Self-Hosted Execution
GitHub-hosted runners, self-hosted runners, job containers, service containers, labels, and operational patterns for GitHub Actions execution.
GitHub Actions: Testing, Build, Release, and Deploy Pipelines
Practical CI/CD recipes for testing, build matrices, release creation, package publishing, and environment-based deployments in GitHub Actions.
GitHub Actions: Caching, Artifacts, and GitHub CLI Workflows
Cache dependencies, upload and download artifacts, and drive workflows with GitHub CLI commands in GitHub Actions.
GitHub Actions: Expressions, Contexts, Variables, and Outputs
Expressions, contexts, env vars, configuration variables, step outputs, job outputs, and dynamic workflow logic in GitHub Actions.
GitHub Actions: Jobs, Steps, Matrix, and Reusable Building Blocks
Jobs, steps, matrix builds, conditional execution, reusable workflows, composite actions, and service containers in GitHub Actions.

Recommended next

No recommendations yet.
Browse all sheets →