Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

GitHub Actions are actually pretty hard to secure against all of the threats. In particular, insider threats. This article goes over some GitHub protections that can help a repository be better.

Branch Protections prevent modifications to specific named branches. This prevents straight pushes to main from compromised developers. This can also be used to require signed commits or request pull requests before merging.

Another good feature is Dismiss Stale pull request approvals. This prevents a PR from being approved and then having a major change being made from underneath it. Again, insider threats are very hard to protect against.

GitHub Actions can have Secrets as well. One annoying component about this is that a user with push permissions on the repository can create a branch with a new GitHub action and just leak the secrets. To prevent this, I have required PRs from users only and not allowed branches except for admins.

Environments are a collection of variables and secrets in GitHub. They can be created with specific names, like prod and dev. Secrets within an environment take place over those in the secrets directly.

The environment feature has several helpful features. First, you can have required reviewers for using a particular environment. Second, you can only allow the environment to be used within a branch, such as a protected branch. This prevents the stealing of sensitive secrets as a result.

There are also Tag-based protections. Restricting deletions, blocking force pushes, and requiring deployments to succeed are all somewhat helpful.