How to use GitHub Actions with security in mind
When working in the real world with CI/CD, you have to take care of your pipelines and the things they have access to. This means asking yourself and your team questions like the following:
- Who can push code into to an environment?
- Who can read and change the connection strings to the database?
- Who can create new resources in our cloud environment?
- Do we trust our third-party extensions?
- What part of the network does our pipeline have access to?
In this session we'll go over each of these aspects in your GitHub Actions workflows, showing you what to look for—and offer tips on how to improve your security stance without locking every DevOps engineer out.