Cybersecurity, Using GitHub Actions with the Campus Firewall

GitHub Actions can be used without special rules in the campus firewall by using a locally hosted GitHub Actions Runner.

Introduction

This document provides the developer with resources to learn about what GitHub Actions and Runners are, how to set up the features, and how to use them effectively. GitHub Actions is a service for automating development workflows using Continuous Integration/Continuous Deployment (CI/CD) principles.

When setup correctly, a Self-Hosted GitHub Agent Runner can use GitHub Actions to perform necessary tasks without needing to open an SSH port through the campus firewall. Firewall exceptions for incoming SSH have not been granted for this use case.

The purpose of this document about GitHub Actions is to help DevOps teams associated with the University of Illinois fulfill their responsibility to comply with Illinois Cybersecurity standards, including IT05IT07IT08, and IT13.

About GitHub Actions

GitHub provides documentation about GitHub Actions.

The GitHub Quick Start Guide will explain the basic steps for creating a workflow.

For a more thorough lesson in GitHub Actions, one can follow the Learn GitHub Actions guide provided.

Additional information can be found in the GitHub Actions Reference and the University of Illinois GitHub Service Community Portal

About GitHub Runners

GitHub Runners are used to execute the GitHub Actions created for a repository.

There are two types of Runners: GitHub-Hosted and Self-Hosted.

GitHub Hosted Runners

GitHub provides documentation about GitHub-Hosted Runners.

GitHub Actions are available by default.

GitHub-Hosted Runners run on a virtual machine hosted by GitHub.

Some customization options are available.

Self-Hosted Runners

GitHub also provides the ability to create Self-Hosted Runners.

This option allows for more customization and control of the environment.

Hosting your own GitHub runners is supported at 3 levels:

About Secret Protection

Regardless of the methodology employed to create and use Actions and Runners, it is important to prevent Secret Leaks.

GitHub repositories are not approved for storing secrets (encrypted or otherwise).

Use GitHub Encrypted Secrets, or another approved secret store.

If a secret is leaked, the secret must be rotated.

Report leaks to security@illinois.edu.

A job aid is available on the KB about preventing secret leaks in GitHub.



Keywords:
security, developer, sdlc, cybersecurity, devops, secdevops, github 
Doc ID:
122838
Owned by:
Security S. in University of Illinois Technology Services
Created:
2022-12-02
Updated:
2023-03-24
Sites:
University of Illinois Technology Services