GitHub Actions
Definition
GitHub Actions is a CI/CD platform that allows developers to automate workflows directly within their GitHub repositories. It enables users to build, test, and deploy code by defining workflows in YAML files, which specify the events that trigger the workflows and the jobs that run in response. GitHub Actions supports a wide range of integrations and can be used to automate tasks such as code linting, testing, and deployment to various environments.
Secure Settings Example
name: Secure Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '14'
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm test
- name: Deploy
if: github.ref == 'refs/heads/main'
run: npm run deploy
env:
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
Insecure Settings Example
name: Insecure Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '14'
- name: Install dependencies
run: npm install
- name: Run tests
run: npm test
- name: Deploy
run: npm run deploy
env:
DEPLOY_KEY: hardcoded-insecure-key