Not So Secret: The Hidden Risks of GitHub Actions Secrets
Amiran Alavidze
fwd:cloudsec North America 2025 · Day 1 · Track 1 - Crystal
Amiran Alavidze, Director of Security Engineering at Zello, delivered a sharp and demo-driven talk exposing a fundamental weakness in **GitHub Actions secrets**: any user with write access to a repository can trivially exfiltrate all repository-level secrets, regardless of branch protection rules. The talk demonstrated the attack live, showed why it works, and then walked through two concrete mitigations -- **GitHub Environments with protection rules** and **OIDC federation with properly scoped trust policies** -- with live demos proving each defense. This is an essential talk for any organization using GitHub Actions for CI/CD with cloud credentials.
AI review
Clean, demo-driven talk that takes a well-known but poorly understood GitHub Actions weakness -- write access equals secret access -- and proves it live with escalating attack scenarios, then walks through concrete mitigations including environment protection rules and properly scoped OIDC trust policies. The attack is simple but the impact is real, and the combined defense-in-depth approach is immediately actionable.