Skip to content

Runner Security and CI Credentials

Set workflow-level permissions to read-only and elevate individual jobs narrowly. Push jobs require registry-specific OIDC permission; PR jobs do not.

Use GitHub OIDC to assume AWS roles and authenticate to Azure. Avoid long-lived access keys. Snowflake uses key-pair/JWT credentials stored in protected secrets until a stronger federated pattern is available.

Self-hosted runners handling untrusted PR code are isolated, ephemeral where possible, and never share credentials or Docker state with privileged release jobs. Cleanup commands are not a security boundary. Runner images are patched, monitored, and capacity-managed.

Use approved publishers, pin critical actions to immutable SHAs where feasible, enable Dependabot, and protect .github/workflows with CODEOWNERS. Shell steps quote untrusted values and avoid direct interpolation of PR-controlled strings.