Why should I use OIDC instead of stored secrets?

OIDC (OpenID Connect) allows for 'secretless' authentication by using short-lived, identity-based tokens for cloud providers, eliminating the need to store long-lived credentials that could be compromised.

When should I use environment-level secrets?

Use environment secrets for deployment-specific credentials (like production DB strings) where you need additional protection such as manual approval gates or branch-specific restrictions.

How can I prevent secrets from leaking in workflow logs?

Avoid interpolating secrets directly into shell commands. Instead, pass secrets as environment variables to ensure GitHub's log masking engine can effectively redact them from the output.

What is the difference between secrets and variables in GitHub Actions?

Secrets are encrypted at rest and masked in logs for sensitive data like API keys, whereas configuration variables are stored as plaintext and used for non-sensitive data like environment names or URLs.

Secure Secret Management for GitHub Actions

Name: Secure Secret Management for GitHub Actions
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

보안 및 테스팅

Implements secure credential management, storage hierarchies, and OIDC authentication patterns within GitHub Actions workflows.

This skill provides a comprehensive framework for managing sensitive information in CI/CD pipelines, specifically focusing on GitHub Actions. It guides users through the secret storage hierarchy (repository, organization, and environment levels), helps mitigate exposure risks like log leakage and pull request injection, and promotes advanced security patterns such as 'secretless' OIDC authentication. By following these patterns, developers can ensure their production infrastructure, cloud accounts, and API tokens remain protected against common supply chain attacks.

주요 기능

01Threat modeling for pull_request and pull_request_target events

02OIDC 'secretless' federation for AWS, GCP, and Azure

03GitHub Actions secret storage hierarchy optimization (Repo, Org, Environment)

04Workflow log exposure prevention and masking strategies

05Configuration of environment protection rules and approval gates

060 GitHub stars

사용 사례

01Migrating from long-lived service account keys to short-lived OIDC tokens

02Securing production deployment credentials with mandatory manual approval gates

03Preventing accidental credential leakage in public repository CI logs

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills secret-management-overview

For use in Claude.ai and ChatGPT

Download Skill