Why should I use OIDC instead of stored secrets?

OIDC (OpenID Connect) allows for 'secretless' authentication by using short-lived, identity-based tokens for cloud providers, eliminating the need to store long-lived credentials that could be compromised.

When should I use environment-level secrets?

Use environment secrets for deployment-specific credentials (like production DB strings) where you need additional protection such as manual approval gates or branch-specific restrictions.

How can I prevent secrets from leaking in workflow logs?

Avoid interpolating secrets directly into shell commands. Instead, pass secrets as environment variables to ensure GitHub's log masking engine can effectively redact them from the output.

What is the difference between secrets and variables in GitHub Actions?

Secrets are encrypted at rest and masked in logs for sensitive data like API keys, whereas configuration variables are stored as plaintext and used for non-sensitive data like environment names or URLs.

Secure Secret Management for GitHub Actions

Name: Secure Secret Management for GitHub Actions
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

安全与测试

Implements secure credential management, storage hierarchies, and OIDC authentication patterns within GitHub Actions workflows.

关于

This skill provides a comprehensive framework for managing sensitive information in CI/CD pipelines, specifically focusing on GitHub Actions. It guides users through the secret storage hierarchy (repository, organization, and environment levels), helps mitigate exposure risks like log leakage and pull request injection, and promotes advanced security patterns such as 'secretless' OIDC authentication. By following these patterns, developers can ensure their production infrastructure, cloud accounts, and API tokens remain protected against common supply chain attacks.

主要功能

Threat modeling for pull_request and pull_request_target events
OIDC 'secretless' federation for AWS, GCP, and Azure
GitHub Actions secret storage hierarchy optimization (Repo, Org, Environment)
Workflow log exposure prevention and masking strategies
Configuration of environment protection rules and approval gates
0 GitHub stars

使用场景

Migrating from long-lived service account keys to short-lived OIDC tokens
Securing production deployment credentials with mandatory manual approval gates
Preventing accidental credential leakage in public repository CI logs

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills secret-management-overview

For use in Claude.ai and ChatGPT

Download Skill

GitHub

关于