You can check which access policies are being applied to a secret in your organization. gh secret list -org ORG_NAME Reviewing access to organization-level secrets To list all secrets for an organization, use the gh secret list subcommand with the -org or -o flag followed by the organization name. gh secret set -org ORG_NAME SECRET_NAME -repos REPO-NAME-1, REPO-NAME-2" To specify that the secret should be available to selected repositories within the organization, use the -repos or -r flag. gh secret set -org ORG_NAME SECRET_NAME -visibility all To specify that the secret should be available to all repositories within the organization, use the -visibility or -v flag. gh secret set -org ORG_NAME SECRET_NAMEīy default, the secret is only available to private repositories. To add a secret for an organization, use the gh secret set subcommand with the -org or -o flag followed by the organization name. To manage organization secrets, you must additionally authorize the admin:org scope. Note: By default, GitHub CLI authenticates with the repo and read:org scopes. For more information, see " Making authenticated API requests with a GitHub App in a GitHub Actions workflow." Unlike a personal access token, a GitHub App is not tied to a user, so the workflow will continue to work even if the user who installed the app leaves your organization. Instead of using a personal access token, consider using a GitHub App, which uses fine-grained permissions and short lived tokens, similar to a fine-grained personal access token. When generating a fine-grained personal access token, select the minimum permissions and repository access required. When generating a personal access token (classic), select the fewest scopes necessary. Consider granting read-only permissions if that's all that is needed, and limit access as much as possible. For example, instead of using personal credentials, use deploy keys or a service account. When generating credentials, we recommend that you grant the minimum permissions possible. For more information, see " Actions." Limiting credential permissions You can also manage secrets using the REST API. Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts. Warning: GitHub automatically redacts secrets printed to the log, but you should avoid printing secrets to the log intentionally. For more information, see " Access permissions on GitHub." You can use and read encrypted secrets in a workflow file if you have access to edit the file.
For more information, see " Workflow syntax for GitHub Actions." Review the action's README file to learn about which inputs and environment variables the action expects. To make a secret available to an action, you must set the secret as an input or environment variable in the workflow file. For example, avoid creating secrets that contain JSON or encoded Git blobs. To help ensure that GitHub redacts your secret in logs, avoid using structured data as the values of secrets. Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence. For example, if an organization-level secret has the same name as a repository-level secret, then the repository-level secret takes precedence. If a secret with the same name exists at multiple levels, the secret at the lowest level takes precedence. Names must be unique at the level they are created at.įor example, a secret created at the environment level must have a unique name in that environment, a secret created at the repository level must have a unique name in that repository, and a secret created at the organization level must have a unique name at that level.
Names must not start with the GITHUB_ prefix. Names can only contain alphanumeric characters (, , ) or underscores ( _). The following rules apply to secret names: For more information, see " About security hardening with OpenID Connect" Naming your secrets This will let you stop storing these credentials as long-lived secrets and provide other security benefits. Note: If your GitHub Actions workflows need to access resources from a cloud provider that supports OpenID Connect (OIDC), you can configure your workflows to authenticate directly to the cloud provider.
0 kommentar(er)
