Is it okay to use GitHub Secrets with a public repo?

Question

I have a private repo with a GitHub Action that pushes the code to an AWS S3 bucket when there's a new push to the master branch. I need a pair of access keys to be able to push the contents and I'm storing them as GitHub Secrets and referencing them as environment variables in the build script. Now I would like to make this repo public in the near future, and I was wondering if it's a safe thing to do. The workflow (.github/workflows/main.yml) itself for the action is indeed publicly visible and what it does, but it only has the single command aws s3 cp myfile s3://my-bucket and absolutely no access keys in the code itself.

Is it safe to use GitHub Secrets for the Actions in a public repo? I am the sole owner and only contributor, this will not change in the future. I might switch to CodePipeline with a webhook later but wanted to try GitHub Actions first. Thanks.

Answer 1

Yes, secrets are safe to use in public repositories but there are some things you should be careful about.

• All secrets are automatically masked in build logs and show as *** . However, if during your workflow you create a sensitive credential from a secret (eg base64 an API key) then you should mask the new value so it doesn't leak in the build log.

   echo "::add-mask::My sensitive value"

• If you are very concerned about the security of your secrets, I would also suggest not using third party GitHub actions directly by following the action's tags or branches. Fork the action and use your fork in workflows. This will prevent the possibility of someone modifying an action you are using to capture secrets being used by the action, and send them to some external server under their control.

  Alternatively, use the action directly and reference the commit hash for the version you want to target.

   - uses: thirdparty/foo-action@172ec762f2ac8e050062398456fccd30444f8f30

• Use two-factor authentication (2FA) on your account. If your account is compromised, it's trivial for an attacker to create a workflow and export your secrets.

• Repository collaborators or any organization users with write access are able to create a workflow to export secrets. So manage access to your repository carefully.

Points related to pull requests:

• Public repository pull_request events triggered by forks do not have access to secrets, except for the default GITHUB_TOKEN . Additionally, The GITHUB_TOKEN has read-only access when an event is triggered by a forked repository . These are intentional restrictions enforced by GitHub Actions to prevent an attacker creating a pull request containing a workflow that captures secrets, or uses secrets to perform operations.
• The pull_request_target event does not have secret restrictions for events triggered by forks. By default it checks out the last commit on the base branch, but it is possible to checkout the pull request HEAD. Choosing to do this requires extreme caution. Passing secrets to any code that could be modified in a pull request could allow an attacker to write code to export secrets.

Answer 2

Yes, it appears so. According to Github , you have organization-level access control policies to who can access your secrets.

For secrets stored at the organization-level, you can use access policies to control which repositories can use organization secrets. Organization-level secrets let you share secrets between multiple repositories, which reduces the need for creating duplicate secrets. Updating an organization secret in one location also ensures that the change takes effect in all repository workflows that use that secret.

Whether the repository is public or private does not affect this, and that makes sense. Public projects need secrets, too.