GitHub Actions workflows should follow the principle of least privilege by providing reusable workflows with access only to the specific secrets
they require. When secrets: inherit is used to call a reusable workflow, all repository secrets become available to the reusable
workflow, creating unnecessary security risks.
This practice increases the attack surface and potential for secret exposure, as any vulnerability in the reusable workflow could compromise all
secrets rather than just the ones actually needed. Additionally, it violates the principle of least privilege by granting broader access than
necessary.
Ask Yourself Whether
- There are secrets in the repository that are unrelated to the reusable workflow’s purpose.
- The reusable workflow could function with access to only specific, named secrets.
There is a risk if you answer yes to any of the above questions.
Recommended Secure Coding Practices
- Provide reusable workflows with access only to the specific secrets they require.
- Use individual secret references instead of inheriting all secrets.
- Regularly audit and remove unused secrets from the repository.
- Consider the trust level of external reusable workflows before granting secret access.
- Implement proper secret rotation policies to limit exposure duration.
Sensitive Code Example
name: Example
on:
pull_request:
jobs:
call-reusable-workflow:
uses: github/ExampleRepo/.github/workflows/reusable.yml@v1
secrets: inherit # Sensitive
Compliant Solution
name: Example
on:
pull_request:
jobs:
call-reusable-workflow:
uses: github/ExampleRepo/.github/workflows/reusable.yml@v1
secrets:
SECRET: ${{ secrets.EXAMPLE_SECRET }}
See
