Revision history [back]

There are several measures that can be taken to safeguard GitHub secrets within pull request actions from malevolent pull requests:

1. Limit Access: Limit access to secrets to only the necessary personnel or trusted contributors.

2. Use Encrypted Secrets: Use encrypted secrets in the file system rather than plaintext, so that they cannot be accessed easily even if someone gains access to the repository.

3. Use Contexts: Use contexts to limit access to secrets based on the type of action that is being performed.

4. Third Party Integrations: Use third-party integrations with tools like GitHub Actions, TravisCI or CircleCI that provide built-in encryption and a secure environment for running actions.

5. Review Pull Requests Carefully: Review pull requests thoroughly before merging them, including checking for any changes that may affect secrets.

6. Audit Trail: Maintain an audit trail of all access to secrets by creating logs, alerts or notifications when any access or modification is made.

7. Strong Passwords: Use strong passwords and two-factor authentication to protect against credential-stuffing attacks.

8. Employ Mitigation Strategies: Employ mitigation strategies, such as revoking access to secrets, or regenerating secret keys immediately if an unauthorized access is detected.

9. Keep Secrets outside the source code: Keep secrets outside the source code, such as using a secret management service like AWS Secrets Manager or HashiCorp Vault.