GitHub Actions workflows should follow the principle of least privilege by providing reusable workflows with access only to the specific secrets they require. When secrets: inherit is used to call a reusable workflow, all repository secrets become available to the reusable workflow, creating unnecessary security risks.

This practice increases the attack surface and potential for secret exposure, as any vulnerability in the reusable workflow could compromise all secrets rather than just the ones actually needed. Additionally, it violates the principle of least privilege by granting broader access than necessary.

Ask Yourself Whether

There is a risk if you answer yes to any of the above questions.

Recommended Secure Coding Practices

Sensitive Code Example

name: Example

on:
  pull_request:

jobs:
  call-reusable-workflow:
    uses: github/ExampleRepo/.github/workflows/reusable.yml@v1
    secrets: inherit # Sensitive

Compliant Solution

name: Example

on:
  pull_request:

jobs:
  call-reusable-workflow:
    uses: github/ExampleRepo/.github/workflows/reusable.yml@v1
    secrets:
      SECRET: ${{ secrets.EXAMPLE_SECRET }}

See