Runner Security and CI Credentials
GitHub token permissions
Section titled “GitHub token permissions”Set workflow-level permissions to read-only and elevate individual jobs narrowly. Push jobs require registry-specific OIDC permission; PR jobs do not.
Cloud authentication
Section titled “Cloud authentication”Use GitHub OIDC to assume AWS roles and authenticate to Azure. Avoid long-lived access keys. Snowflake uses key-pair/JWT credentials stored in protected secrets until a stronger federated pattern is available.
Self-hosted runners
Section titled “Self-hosted runners”Self-hosted runners handling untrusted PR code are isolated, ephemeral where possible, and never share credentials or Docker state with privileged release jobs. Cleanup commands are not a security boundary. Runner images are patched, monitored, and capacity-managed.
Third-party Actions
Section titled “Third-party Actions”Use approved publishers, pin critical actions to immutable SHAs where feasible, enable Dependabot, and protect .github/workflows with CODEOWNERS. Shell steps quote untrusted values and avoid direct interpolation of PR-controlled strings.