Is it okay to use GitHub Secrets with a public repo?
Yes, it appears so. According to Github, you have organization-level access control policies to who can access your secrets.
For secrets stored at the organization-level, you can use access policies to control which repositories can use organization secrets. Organization-level secrets let you share secrets between multiple repositories, which reduces the need for creating duplicate secrets. Updating an organization secret in one location also ensures that the change takes effect in all repository workflows that use that secret.
Whether the repository is public or private does not affect this, and that makes sense. Public projects need secrets, too.
Yes, secrets are safe to use in public repositories but there are some things you should be careful about.
All secrets are automatically masked in build logs and show as
***. However, if during your workflow you create a sensitive credential from a secret (e.g. base64 an API key) then you should mask the new value so it doesn't leak in the build log.
echo "::add-mask::My sensitive value"
If you are very concerned about the security of your secrets, I would also suggest not using third party GitHub actions directly by following the action's tags or branches. Fork the action and use your fork in workflows. This will prevent the possibility of someone modifying an action you are using to capture secrets being used by the action, and send them to some external server under their control.
Alternatively, use the action directly and reference the commit hash for the version you want to target.
- uses: thirdparty/foo-action@172ec762f2ac8e050062398456fccd30444f8f30
Use two-factor authentication (2FA) on your account. If your account is compromised, it's trivial for an attacker to create a workflow and export your secrets.
Repository collaborators or any organization users with
writeaccess are able to create a workflow to export secrets. So manage access to your repository carefully.
Points related to pull requests:
- Public repository
pull_requestevents triggered by forks do not have access to secrets, except for the default
GITHUB_TOKEN. Additionally, The
GITHUB_TOKENhas read-only access when an event is triggered by a forked repository. These are intentional restrictions enforced by GitHub Actions to prevent an attacker creating a pull request containing a workflow that captures secrets, or uses secrets to perform operations.
pull_request_targetevent does not have secret restrictions for events triggered by forks. By default it checks out the last commit on the base branch, but it is possible to checkout the pull request HEAD. Choosing to do this requires extreme caution. Passing secrets to any code that could be modified in a pull request could allow an attacker to write code to export secrets.