Explore essential security best practices in GitHub Actions with this quiz designed to improve your workflow protection strategies. Enhance your understanding of secrets management, permissions control, workflow configuration, and vulnerability mitigation in CI/CD pipelines.
Which approach best follows the principle of least privilege when assigning permissions to a workflow that uploads build artifacts?
Explanation: Granting only the minimum required permissions ensures that the workflow cannot perform unwanted actions, following the principle of least privilege. Assigning administrator or broad permissions (such as full read and write across the repository) increases risk and potential abuse. Allowing unauthenticated users to trigger workflows exposes vulnerabilities. Only the correct choice upholds security without unnecessary access.
In managing sensitive values such as API keys for use within workflows, which method offers the most secure storage and usage?
Explanation: The repository’s secrets manager encrypts and masks sensitive values, keeping them secure and inaccessible to unauthorized users. Storing secrets directly in workflow files or documentation exposes them to anyone with repository access. Committing secrets to a public branch significantly increases risk. Only the repository’s secrets manager is designed for secure handling of credentials in workflows.
What is a recommended way to prevent untrusted users from triggering potentially dangerous workflow runs on pull requests?
Explanation: Restricting workflow runs to trusted branches and users minimizes the risk of arbitrary code execution from untrusted sources. Allowing runs from any fork or branch can allow attackers to exploit workflows. Disabling status checks weakens oversight, and using default permissions for everyone can be overly permissive. Restriction provides tailored and controlled security.
Why is it important to keep third-party action dependencies up to date when configuring workflows?
Explanation: Using outdated actions risks introducing security holes, as vulnerabilities may be fixed only in newer versions. Visual improvements do not impact security, and there is no evidence that older actions improve workflow performance. Licensing requirements are not guaranteed to change with updates. Thus, updating actions is critical for vulnerability mitigation.
How can you best reduce the risk of unauthorized or malicious modifications to workflow files?
Explanation: Branch protections and mandatory code reviews ensure that workflow changes are reviewed and approved, reducing the chance of unauthorized or harmful edits. Allowing direct commits from all contributors removes oversight. Disabling audit logs means fewer records in case of an incident, and sharing workflow files informally does not prevent risky changes. Code review enforces accountability and control.