Passing secrets as inputs to composite actions. Is it safe ? #34212
Unanswered
rekaparathalwar
asked this question in
Actions
Replies: 1 comment 3 replies
-
The security implications are the same as for passing secrets to any other type of action: You're giving the secret to the action, and potentially (depending on how the action handles its inputs) any code the action calls. For a composite action that might include other actions it calls. To see if the handling is safe you'll have to audit the specific action, and anything it calls with access to the secret input. If you determine the action is safe you might want to reference it by commit ID in your workflow to make sure it can't change without you noticing. |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Composite action doesnt support passing secrets. Instead we can pass the secrets as inputs to composite action.
Is it safe doing so ? Is there any security implications ?
Beta Was this translation helpful? Give feedback.
All reactions