Marcel Lupo

Best Practices for Using GitHub Secrets

Stop storing long-lived credentials as GitHub secrets. Use OIDC and Azure Key Vault to build a truly passwordless and more secure CI/CD pipeline.

Best Practices for Using GitHub Secrets
#1about 2 minutes

Understanding the fundamentals of GitHub Secrets

GitHub Secrets provide an encrypted way to store sensitive data like API keys within repositories for use in CI/CD workflows.

#2about 6 minutes

Managing secrets at different scopes in the UI

Secrets can be managed at the repository, environment, or organization level through the UI, but repository-level secrets become difficult to rotate at scale.

#3about 5 minutes

Consuming secrets in workflows and avoiding common pitfalls

Reference secrets in GitHub Actions using the `secrets` context, but be aware of pitfalls like hard-coding, commit history exposure, and improper access control.

#4about 5 minutes

Integrating GitHub with Azure Key Vault for centralization

Use Azure Key Vault as a centralized secret store to manage secrets outside of GitHub, improving scalability and separating access controls.

#5about 7 minutes

Configuring passwordless authentication using OpenID Connect

Set up a federated identity in Azure Entra ID with OpenID Connect to allow GitHub Actions to authenticate to Azure without long-lived secrets.

#6about 7 minutes

Fetching Azure Key Vault secrets in a GitHub workflow

Use the `azure/login` action with OIDC to authenticate, then use Azure CLI within a workflow to retrieve secrets from Key Vault for subsequent steps.

#7about 4 minutes

Key benefits of the Azure Key Vault integration

Integrating with Azure Key Vault provides centralized management, granular RBAC, secret versioning and history, and enhanced auditing capabilities.

Related jobs
Jobs that call for the skills explored in this talk.

Remote

Name of

Name of

Remote
Intermediate
PHP
Java
+1

Matching moments

Securing workflows with secrets and best practices
02:32 MIN

Securing workflows with secrets and best practices

CI/CD with Github Actions

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Why hard-coded secrets are a growing developer problem
07:11 MIN

Why hard-coded secrets are a growing developer problem

Stop Committing Your Secrets - GIt Hooks To The Rescue!

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Securely handing over credentials and application secrets
03:42 MIN

Securely handing over credentials and application secrets

SRE Methods In an Agency Environment

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Using Azure for secure configuration and secrets management
03:59 MIN

Using Azure for secure configuration and secrets management

Develop enterprise-ready applications for Microsoft Teams with Azure resources on modern web technologies

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Key takeaways for preventing secret leaks in code
15:37 MIN

Key takeaways for preventing secret leaks in code

Stop Committing Your Secrets - GIt Hooks To The Rescue!

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
The risk of exposing credentials in Git repositories
04:08 MIN

The risk of exposing credentials in Git repositories

Securing Secrets in the GitOps era

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Q&A on GitOps secret management practices
18:28 MIN

Q&A on GitOps secret management practices

Securing secrets in the GitOps Era

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.
Prevent leaked secrets with push protection and scanning
02:42 MIN

Prevent leaked secrets with push protection and scanning

Real-World Security for Busy Developers

Unlock Moments
Create a free account to watch a limited number of Moments each month.
Upgrade to PRO for unlimited access to the full archive.

Featured Partners

Related Videos

See all videos
Securing secrets in the GitOps Era58:52

Securing secrets in the GitOps Era

Davide Imola

Securing Secrets in the GitOps era58:57

Securing Secrets in the GitOps era

Alex Soto

Lights, Camera, GitHub Actions!1:04:54

Lights, Camera, GitHub Actions!

Ixchel Ruiz

CI/CD with Github Actions1:05:06

CI/CD with Github Actions

Chris Ayers

Stop Committing Your Secrets - GIt Hooks To The Rescue!56:06

Stop Committing Your Secrets - GIt Hooks To The Rescue!

Dwayne McDaniel

External Secrets Operator: the secrets management toolbox for self-sufficient teams30:07

External Secrets Operator: the secrets management toolbox for self-sufficient teams

Moritz Johner

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 129 - Now that's what I call private data!
News and ArticlesAfter declaring Google a monopoly there are now considerations to force it to break up - isn't that what the whole Alphabet thing was about? In the last act of Crowdstrike coverage here, they released a deep analysis of the outage th...
Dev Digest 129 - Now that's what I call private data!

From learning to earning

Jobs that call for the skills explored in this talk.