But then what would happen if the GitHub token leaks? Would someone then be able... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		TheSpiciestDev on Jan 19, 2022 \| parent \| context \| favorite \| on: Show HN: Stop Putting AWS Credentials in GitHub Se... But then what would happen if the GitHub token leaks? Would someone then be able to retrieve their own credentials as if they were your CI/CD pipeline? I feel like it be hard to audit that because a baddie would then be able to blend in with your CI/CD pipeline's traffic. But you say you find "management of AWS Credentials a pain", so I guess this isn't for security purposes, right? More of just a convenience? Don't get me wrong, I'm all about lessening the amount of environment variables in a pipeline!.. especially with ones that you want to rotate!

cnuss on Jan 19, 2022 [–]

The GitHub token that is used is a short-lived token that is generated new every time a GitHub action is run.

Ref: https://docs.github.com/en/actions/security-guides/automatic...

And the SAML.to backend first checks to make sure the token is valid by invoking:

Ref: https://docs.github.com/en/rest/reference/apps#list-reposito...

I haven't checked, but I assume GitHub invalidates the token when the GitHub Action finishes

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact