Cybersecurity, Using GitHub Actions with the Campus Firewall
Introduction
This document provides the developer with resources to learn about what GitHub Actions and Runners are, how to set up the features, and how to use them effectively. GitHub Actions is a service for automating development workflows using Continuous Integration/Continuous Deployment (CI/CD) principles.
When setup correctly, a Self-Hosted GitHub Agent Runner can use GitHub Actions to perform necessary tasks without needing to open an SSH port through the campus firewall. Firewall exceptions for incoming SSH have not been granted for this use case.
The purpose of this document about GitHub Actions is to help DevOps teams associated with the University of Illinois fulfill their responsibility to comply with Illinois Cybersecurity standards, including IT05, IT07, IT08, and IT13.
About GitHub Actions
GitHub provides documentation about GitHub Actions.
The GitHub Quick Start Guide will explain the basic steps for creating a workflow.
For a more thorough lesson in GitHub Actions, one can follow the Learn GitHub Actions guide provided.
Additional information can be found in the GitHub Actions Reference and the University of Illinois GitHub Service Community Portal
About GitHub Runners
GitHub Runners are used to execute the GitHub Actions created for a repository.
There are two types of Runners: GitHub-Hosted and Self-Hosted.
GitHub Hosted Runners
GitHub provides documentation about GitHub-Hosted Runners.
GitHub Actions are available by default.
GitHub-Hosted Runners run on a virtual machine hosted by GitHub.
Some customization options are available.
Self-Hosted Runners
GitHub also provides the ability to create Self-Hosted Runners.
This option allows for more customization and control of the environment.
Hosting your own GitHub runners is supported at 3 levels:
About Secret Protection
Regardless of the methodology employed to create and use Actions and Runners, it is important to prevent Secret Leaks.
GitHub repositories are not approved for storing secrets (encrypted or otherwise).
Use GitHub Encrypted Secrets, or another approved secret store.
If a secret is leaked, the secret must be rotated.
Report leaks to security@illinois.edu.
A job aid is available on the KB about preventing secret leaks in GitHub.