GitHub Actions Overview

Questions and Answers

What is the maximum number of unique reusable workflows that can be called from a single workflow?

40

10

30

20 (correct)

Which of the following statements regarding environment secrets in reusable workflows is correct?

Environment secrets can be shared freely between workflows.

Secrets can be passed directly from the caller workflow.

Secrets are passed securely using the secrets keyword. (correct)

Secrets must be defined in the calling workflow only.

Which keyword is used to reference a reusable workflow from a caller workflow?

uses (correct)

use

reference

invoke

What is the correct format for referencing a reusable workflow located in the same repository?

./.github/workflows/{filename} (C)

How many levels of nested reusable workflows can be established?

Four (A)

What are the components of a workflow in GitHub Actions?

Triggers, Jobs, Steps (A)

Which of the following options can trigger a GitHub workflow?

Push events, Manual triggers, Scheduled tasks (C)

Which feature allows for the use of sensitive information in a workflow securely?

Secrets (B)

What is the purpose of using the 'needs' keyword in a GitHub Actions workflow?

To create dependencies between jobs (A)

What does the matrix strategy feature in workflows allow you to do?

Run jobs with various configurations (D)

How can performance be improved when using dependencies in a workflow?

By caching dependencies (A)

Which of the following options is NOT a type of workflow template provided by GitHub?

Infrastructure as Code (C)

What is the purpose of using Dependabot in GitHub actions?

To track vulnerabilities and update actions (B)

What practice should be avoided when using secrets in GitHub workflows?

Using structured data like JSON as secrets (D)

Which statement about redaction of secrets in logs is true?

Redaction is not guaranteed for transformed values (A)

What is a recommended practice for managing secrets in workflows?

Audit and review secret usage regularly (B)

How can script injection vulnerabilities be prevented in GitHub Actions?

By using actions instead of inline scripts (B)

What should users with write access to a repository be cautious about regarding secrets?

They can view secrets without restrictions (A)

Which action is NOT recommended when managing secrets in workflows?

Registering derived secrets as public information (D)

Which strategy helps to minimize risks associated with exposed tokens in workflows?

Utilize workflow templates for vulnerability detection (B)

Which is a valid approach for configuring runners in GitHub Actions?

Label runners as self-hosted or GitHub-hosted (B)

What is the primary purpose of using OpenID Connect (OIDC) in cloud access?

To eliminate the need for storing long-lived credentials (D)

Which of the following is a recommended practice regarding GitHub Actions?

Pin actions to a tag only if the creator is trusted (A)

What is a significant risk when using self-hosted runners in GitHub Actions?

Increased exposure to attacks from untrusted code (C)

What type of runner is designed to enhance security by executing only one job before removal?

Just-in-Time (JIT) Runners (C)

What vulnerability exists with the GITHUB_TOKEN in GitHub Actions?

It can be stolen and used to modify repositories (D)

Why should personal access tokens and SSH keys be avoided?

They have broader access rights, increasing security risks (B)

Which practice improves security by keeping actions and workflows updated in GitHub?

Using Dependabot (D)

What does mismanagement of secrets or improper redaction in logs potentially lead to?

Accidental leaks of sensitive information (B)

Which of the following describes a caller workflow in GitHub Actions?

A workflow that invokes another reusable workflow (A)

What important measure can be taken to reduce the risk of compromise in GitHub Actions?

Limit access to sensitive environments (C)

What is the primary purpose of reusable workflows?

To centralize common tasks and avoid code duplication. (D)

Which of the following describes job dependencies in reusable workflows?

A reusable workflow can include multiple jobs that must run in a specific order. (A)

How does a caller workflow interact with a called reusable workflow?

The entire called workflow is executed as part of the caller workflow. (B)

What is the benefit of defining inputs and secrets in reusable workflows?

They allow passing values from the caller workflow to the called workflow. (C)

Which advantage does workflow reuse NOT provide?

More complex workflow creation. (C)

What happens if a called reusable workflow is located in a different repository?

Actions in the called workflow will run using the context of the caller workflow. (A)

Which of the following statements is NOT true regarding calling reusable workflows?

The caller workflow inherits the context of the called workflow. (B)

What role does workflow reuse play in promoting best practices?

It creates standardized methods to implement common tasks. (A)

How does centralized workflows improve maintainability?

They allow testing and maintenance to be streamlined across all workflows. (B)

Which statement accurately reflects the concept of calling reusable workflows?

A single line reference is used to invoke the entire called workflow. (C)

Flashcards

Reusable Workflows

A type of workflow that can be reused across multiple workflows, allowing for code modularity and sharing.

How are reusable workflows defined?

They are defined with the 'on.workflow_call' trigger in the '.github/workflows' directory of a repository.

How do you reference reusable workflows?

They can be referenced from a caller workflow using the 'uses' keyword in a job.

How do you pass data to reusable workflows?

You pass them as inputs and secrets using the 'with' and 'secrets' keywords when referencing the reusable workflow.

What is the nesting limit for reusable workflows?

They can be nested up to four levels deep.

Inputs

Data that is required for an action to run. For example, file paths or specific configurations.

Outputs

The results or output of an action that can be used in further processes.

Workflow

An automated process defined in a YAML file that runs jobs and can be triggered by events, schedules, or manual actions.

Workflow Triggers

Events that start a workflow. Examples include pushing code, creating a pull request, or triggering a specific schedule.

Secrets

Securely store sensitive data like passwords and tokens. Use as environment variables in workflows to access this data when needed.

Matrix Strategy

Run jobs in a workflow with different configurations, such as various versions of a software.

Caching Dependencies

Optimize workflows by caching frequently used files to improve performance and reduce execution time.

Caller Workflow

A workflow that triggers the execution of another workflow, acting as the initiator.

OpenID Connect (OIDC)

A method for securely accessing cloud services using short-lived, scoped tokens, eliminating the need to store long-lived credentials.

GitHub-Hosted Runners

A temporary, isolated environment in which GitHub Actions workflows are executed, minimizing the risk of persistent compromise.

Just-in-Time (JIT) Runners

Ephemeral, temporary runners designed to execute a single job before being removed, enhancing security.

Self-Hosted Runners

Runners that are managed and controlled by the user, potentially increasing security risks if not properly secured.

Full Commit SHA

A unique identifier for each commit in a repository, ensuring immutability and preventing backdoor risks from action updates.

Dependabot

A GitHub feature used to automatically keep actions and workflows up-to-date, improving security and reducing manual maintenance.

Repository Deploy Keys

A token specifically granted to a repository, providing limited access and enhancing security.

GitHub App Tokens

Tokens issued to GitHub Apps, offering a more secure alternative to personal access tokens and SSH keys.

Workflow Reuse

The practice of calling a reusable workflow from another workflow, similar to how functions are called

Job Dependencies

The dependencies between jobs within a reusable workflow. For example, a 'Deploy' job might depend on

Workflow Context

When a reusable workflow is called, the caller workflow's context, including variables

Inputs in Reusable Workflows

Inputs are used to provide values to a reusable workflow from the caller workflow.

Secrets in Reusable Workflows

Secrets are used to share secure information with a reusable workflow.

Dependency Graph in GitHub Actions

The dependency graph in GitHub Actions visually represents the relationships between workflows.

Inputs and Secrets Definition

Inputs and secrets can be defined in the reusable workflow using the 'inputs' and 'secrets' properties.

Labels for Runners

Specify if you're using self-hosted or GitHub-hosted runners for your workflows.

Using Secrets

Encrypted values stored securely in GitHub, minimizing accidental exposure.

Redaction

GitHub attempts to remove secrets from logs, preventing accidental exposure.

Best Practices: Avoid Structured Data

Avoid storing structured data (JSON, XML) as secrets due to complexities in redacting.

Best Practices: Register Derived Secrets

Register derived secrets (e.g., JWT generated from a secret) to track their exposure.

Best Practices: Audit and Review Secrets

Regularly check how secrets are used and ensure they are properly redacted in logs.

Best Practices: Least Privilege Credentials

Ensure workflows use credentials with the minimum necessary permissions.

Best Practices: Rotate Secrets

Periodically change secrets and remove those that are no longer needed.

Access Controls: Secret Visibility

Only users with write access to a repository can view secrets.

Access Controls: CODEOWNERS

Use CODEOWNERS to designate trusted reviewers for workflow changes, enhancing security.

Access Controls: Environment Secret Review

Consider requiring approval for environment secrets, enhancing their security.

Risk of Script Injection

Untrusted inputs in workflows can lead to script injection vulnerabilities.

Mitigation: Using Actions

Use actions instead of inline scripts to minimize code execution vulnerabilities.

Mitigation: Using Environment Variables

Use environment variables for untrusted inputs to prevent shell script injection.

Mitigation: Defensive Programming

Ensure defensive programming when handling potentially untrusted input.

Security Enhancements: Code Scanning

Use workflow templates for code scanning (e.g., CodeQL) to find security vulnerabilities early.

Security Enhancements: Token Permissions

Limit the permissions of tokens used in workflows to minimize security risks.

Study Notes

Key Components

• Workflows: Configurable processes defined in YAML files, triggered by events (repository activities, manual, schedule). Can perform tasks like building, testing, deploying code, or labeling issues.
• Events: Specific repository activities (e.g., creating a pull request, pushing a commit) that trigger workflows.
• Jobs: A sequence of steps executed on a single runner. Jobs can be run independently in parallel or have dependencies on other jobs.
• Actions: Reusable custom applications for performing repetitive tasks (e.g., setting up environments or cloud authentication). Available in GitHub Marketplace or custom-built.
• Runners: Servers that execute workflows, each runner running one job at a time. GitHub provides Linux, Windows, and macOS virtual runners, or self-hosted runners can be used for custom configurations.

Capabilities and Use Cases

• Automate builds, tests, deployments.
• Build CI/CD (Continuous Integration/Continuous Delivery) pipelines.
• Run workflows on GitHub-hosted or self-hosted environments.

Key Features of Actions

• Reusable: Actions can be used across multiple workflows and repositories.
• Pre-written: Many community-created actions are available in the GitHub Marketplace.

Types of Actions

• Same Repository: Actions stored in the same repository as the workflow.
• Public Repository: Actions from any public repository.
• Docker Containers: Actions defined as Docker images on Docker Hub.

Using Actions in Workflows

• Browsing GitHub Marketplace: Use the workflow editor to find and add actions, which may have a checkmark badge indicating verification by GitHub.
• Adding Actions to a Workflow: Add actions as steps in the workflow file (.yml). Use owner/repo@{version} (or ./path/to/dir) to reference external/local actions.

Versioning Actions

• Tags: Use tags (e.g., v1.0.1) to specify a version.
• SHAs: Use immutable SHA values for greater reliability.
• Branches: Use branches, but be aware that this might include breaking changes.

Inputs and Outputs

• Inputs: Actions can require inputs, specifying data needed (e.g., file paths).
• Outputs: Actions can provide outputs, allowing for results to be used in other workflows.

Security and Best Practices

• Dependabot: Use Dependabot for keeping actions updated.
• SHAs for Actions: Prefer SHAs over other references for actions to ensure security.
• Docker Image Verification: Verify Docker images when using Docker actions.

Workflow Basics

• Triggers: Events that start the workflow (e.g., push, pull request, issue creation).
• Jobs: Units of work run on a runner.
• Steps: Actions or scripts executed sequentially in a job.

Workflow Triggers

• Repository Events: Pushes, releases, issue creation.
• External Events: Triggered via repository_dispatch.
• Schedules: Using cron syntax.
• Manual Triggers: Via the GitHub interface.

Workflow Templates

• GitHub offers templates for workflows (CI, Deployments, Automation, Code Scanning, Pages).
• Templates are customizable for project-specific needs.

Advanced Workflow Features

• Secrets: Store sensitive data securely as environment variables.
• Dependent Jobs: Use the needs keyword to create dependencies between jobs.
• Matrix Strategy: Run jobs with different configurations (e.g., Node.js versions).
• Caching Dependencies: Improve performance by caching reusable files.
• Service Containers: Run temporary containers (e.g., databases) alongside jobs.

Labels for Runners

• Use labels to specify runner types (self-hosted, Linux, macOS).

Reusable Workflows

• Call workflows within other workflows to avoid duplication.

Security Features

• Dependabot: Use Dependabot to track and update actions.
• Environment Configuration: Configure environments with protection rules for secrets to control job execution.

Using Secrets

• Secrets are encrypted using Libsodium sealed boxes before reaching GitHub, minimizing accidental leaks.
• Secrets can be configured at the organization, repository, or environment level.

Best Practices

• Avoid structured data (JSON, XML, YAML) as secrets.
• Register all derived secrets.
• Regularly audit and review secret usage, ensuring redaction in logs.
• Use least privilege (minimal permissions) for credentials.
• Rotate secrets periodically.

Access Controls

• Only users with write access can view secrets.
• Use CODEOWNERS to restrict workflow changes.
• Consider requiring review approvals for environment secrets.

Risks of Script Injection

• Use actions instead of inline scripts to avoid code execution vulnerabilities.

Security Enhancements

• Use workflow templates for code scanning.
• Restrict token permissions for minimizing risk.
• Use OpenID Connect (OIDC) for cloud access (instead of long-lived credentials).

Warnings

• Users with write access can read all secrets.
• Poor log management can lead to accidental secret leaks.

Risks of Third-Party Actions

• Pin actions to a commit SHA for immutability and backdoor prevention.
• Audit action source code for misuse of secrets.
• Pin actions to a tag if trusted, but be aware of potential tag deletion/movement.
• Use Dependabot to help keep actions up to date.

Compromised Runner Risks

• Accessing secrets can be risky.
• Exfiltrating data from logs or HTTP requests exposes secrets.
• Stealing the GITHUB_TOKEN exposes secrets and gives malicious actors write access.

GitHub Action Runner Types

• GitHub-hosted runners run in isolated environments, reducing compromise risk.
• Self-hosted runners are more susceptible to compromise.

Security Measures

• Use GITHUB_TOKEN for repository-specific access.
• Use Repository Deploy Keys and GitHub App Tokens.
• Avoid Personal Access Tokens and SSH keys.
• Use OpenID Connect for cloud deployments.

Reusing Workflows

• Reusable workflows in GitHub Actions are key for code reuse and maintenance.
• Caller Workflow: The workflow that calls a reusable workflow.
• Called Workflow: The reusable workflow that is called.
• Reusability improves maintainability and consistency.

Reusable Workflow Setup

• Reusable workflows take inputs and secrets.
• Input and secret data types should match the workflow definition.
• Secrets are used in actions within the reusable workflow.

Calling Reusable Workflows

• Use the uses keyword to call a reusable workflow.
• Pass inputs and secrets using the with and secrets keywords in the call.

Security Considerations

• Trust the version of the reusable workflow.
• Environment secrets cannot be passed directly from the caller.

Re-running Workflows

• Re-running a workflow reuses the SHA reference (or latest branch/tag).
• If not a SHA, the latest reference is used.

Key Points

• Reusable workflows reduce duplication, ensuring consistency across workflows.
• Inputs, secrets, outputs, and monitoring tools enhance workflow execution.

Description

Explore the key components and capabilities of GitHub Actions in automating workflows. Learn how workflows, events, jobs, actions, and runners work together to enhance software development efficiency. Ideal for developers looking to streamline their CI/CD processes.