How to Segregate Production Credentials in CI
Binding production secrets to a protected environment means only a job that names that environment (and passes its gate) can ever read them.
Production credentials should never be reachable from a pull request build or a test job. GitHub environment secrets solve this: they are visible only to jobs that declare the environment, which can require approval first. This page is educational configuration guidance.
Steps
- Store production credentials as environment secrets, not repository secrets.
- Protect that environment with required reviewers and branch restrictions.
- Reference the environment only from the deploy job, never from build or test.
Gated deploy job
.github/workflows/deploy.yml
jobs:
test:
runs-on: ubuntu-latest # no environment, cannot see prod secrets
steps:
- run: npm test
deploy:
needs: test
runs-on: ubuntu-latest
environment: production # prod secrets are scoped here only
steps:
- run: ./deploy.sh
env:
PROD_DB_URL: ${{ secrets.PROD_DB_URL }}Notes
- A test job with no environment simply has no access to the production secret.
- Restrict the environment to the default branch so forks cannot trigger prod access.
Related guides
How to Add Approval Gates With EnvironmentsAdd human approval gates to GitHub Actions deploys with protected environments, required reviewers, and a wai…
How to Apply Least Privilege to CI TokensScope the GITHUB_TOKEN and OIDC cloud access to the minimum needed in GitHub Actions, so a compromised job ca…
How to Enforce Separation of Duties in CI/CDEnforce separation of duties in GitHub Actions so the author of a change cannot approve or deploy it alone, a…