How to Run Access Reviews for CI Secrets
Listing secrets, environments, and who can reach them turns the required periodic access review into a scripted, repeatable export.
Frameworks expect periodic reviews of who can access sensitive credentials. This page enumerates repository and environment secrets plus their reviewers so a human can attest to the list. It is educational; pair it with a ticketed review cadence.
Steps
- List repository and environment secrets (names only; values are never readable).
- List environment reviewers who can release with those secrets.
- Export the results for the reviewer to attest and file with the change record.
Enumerate secrets and reviewers
Terminal
# Repo-level secret names
gh api repos/acme/app/actions/secrets | jq -r '.secrets[].name'
# Environment secret names + protection reviewers
for env in staging production; do
echo "== $env =="
gh api repos/acme/app/environments/$env/secrets | jq -r '.secrets[].name'
gh api repos/acme/app/environments/$env \
| jq -r '.protection_rules[]?.reviewers[]?.reviewer.login'
doneNotes
- Secret values are write only; the review is over names, scope, and who can use them.
- Run this on a schedule and archive the output as the evidence artifact.
Related guides
How to Apply Least Privilege to CI TokensScope the GITHUB_TOKEN and OIDC cloud access to the minimum needed in GitHub Actions, so a compromised job ca…
How to Segregate Production Credentials in CIKeep production credentials out of build and test jobs in GitHub Actions by binding them to a protected envir…
How to Collect CI Evidence for an AuditExport GitHub Actions workflow runs, approvals, and reviews with the gh CLI and REST API to produce audit evi…