How to Use GitHub Actions with Security in Mind

Overview

The course teaches learners how to enhance the security of their GitHub Actions workflows in continuous integration/continuous deployment scenarios. By the end of the course, students will be able to identify and improve security vulnerabilities in their pipelines, manage access control, implement best practices for code and secrets, and protect against common workflow attack vectors. The course covers topics such as GitHub workflows, repository security, configuring access, workflow secrets, persisting data, workflow runners, forking actions, and staying up to date with action versions. The teaching method includes theoretical explanations, practical examples, best practice recommendations, and guidance on protective measures. This course is designed for DevOps engineers and individuals working with continuous integration/continuous deployment pipelines who want to enhance the security of their GitHub Actions workflows.

Syllabus

Intro
What are GitHub workflows?
What are GitHub Actions?
Workflow example
Repository security
Code - Who has access?
Configuring access
From the user
Workflow secrets
Who has access to your secrets?
Your code - Best practices
GitHub Actions Security
Best practice: Run the action inside of a container
Persisting data between runs
Workflow runners - Best practice
Verified Creator
Protective measures
Recommendation
Workflow attack vectors
Forks of public repos
Pull Requests
Common fields
Remediation
Forking actions
Staying up to date
Update action versions
Option 1: Use SHA+Dependabot
Use Dependabot
Keep your forked action up to date
Review before merging
Automation
Pros of forking
Best practices summarized