If your CI/CD pipelines are built on GitHub Actions, you might be using GitHub Actions secrets to securely store credentials for connecting to your cloud environments. The security model for GitHub Actions secrets is not very intuitive. Many organizations assume that repository and organization-level secrets offer sufficient protection, but in reality these secrets lack granular access controls, exposing organizations to hidden security risks.

In this talk, we’ll break down the different types of secrets in GitHub Actions (organization, repository, and environment), the protections they offer, and their limitations. We’ll explore how misconfigurations lead to a false sense of security and discuss a more robust approach using environments and environment protection rules. We’ll also examine OpenID Connect (OIDC) for cloud authentication - where there are no long-lived secrets - but where misconfigurations can still introduce risks, and how environment-based protections help.

You’ll leave with a clearer understanding of GitHub Actions secrets, their exposure risks, and practical strategies to better protect cloud permissions of your CI/CD pipelines. Whether you’re securing sensitive credentials or refining your OIDC configurations, this session will equip you with actionable defenses to keep your automation secure at scale.