Home > Software engineering >  Should I remove confidential files at the end of a GitHub Action workflow?
Should I remove confidential files at the end of a GitHub Action workflow?

Time:05-19

I have some actions where I need to store a secret into a file. This secret is used by another job later, like:

env:
  FIREBASE_DISTRIBUTION_KEY: ${{ secrets.GCP_SA_FIREBASE_DISTRIBUTION_PROD_KEY }}
run: |
  echo $FIREBASE_DISTRIBUTION_KEY > key.json
  export GOOGLE_APPLICATION_CREDENTIALS=key.json

From a security perspective, should I remove at the end of the workflow the key.json? Like:

- name: Remove credentials
  if: always()
  run: |
    rm key.json

I'm thinking about a scenario where the GitHub Actions containers are compromised and someone has access to the files. Or not trusting GitHub that they are deleting the GitHub Action container completely.

CodePudding user response:

This is not necessary.

First, GitHub Actions runners are not containers, they're virtual machines. There's no opportunity for container escape, and there's no notion of "cleaning up" the containers.

The virtual machine is disposed of completely. Neither the virtual machine that ran your job - nor any of its disk images - will be re-used.

Page link:https//www.codepudding.com/Softwareengineering/412369.html

Prev:How do I make a formula in Notion with two conditions?
Next:How to secure Mule applications traffic
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding