Is my *.yml file in my GitHub repo safe?

Question

Is my *.yml file in my GitHub repo safe?

Raymond Dean 116

Can the repo that's generated in this guide be made public? Is the *.yml under /.github/workflows/ a security concern?

For example, I see what looks like a variable for a security token: ${{secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_xxxxxxxxxx}}

VenkateshDodda-MSFT 25,111 Reputation points Microsoft Employee Moderator

2023-05-18T04:32:22.31+00:00

Hello @Raymond Dean ,

Following up to see if you have a chance to check my previous response from @AirGordon and helped. Do let us know if you have any further questions on this.

Accepted answer

0 additional answers

Your answer

VenkateshDodda-MSFT 25,111 Reputation points Microsoft Employee Moderator

2023-05-18T04:32:22.31+00:00

Hello @Raymond Dean ,

Following up to see if you have a chance to check my previous response from @AirGordon and helped. Do let us know if you have any further questions on this.

Answer 1

${{}} is the notation for a string replacement.

You can see from the string that the token is being retrieved from your GitHub repository secrets. It doesn't matter if the repository itself is public or private, secrets are secret.

See this link for more information about secrets: https://docs.github.com/en/actions/security-guides/encrypted-secrets

The yml file itself is public, so always ensure that sensitive information about your project/organisation or credentials are stored as secrets in GitHub rather than strings in the yml file.

Share via

Is my *.yml file in my GitHub repo safe?

0 additional answers

Your answer