Skip to content

Latest commit

 

History

History
64 lines (46 loc) · 1.08 KB

006.md

File metadata and controls

64 lines (46 loc) · 1.08 KB
Raw

job_secrets

Job should not set secrets to environment variables.

Examples

jobs:
  foo:
    runs-on: ubuntu-latest
    permissions:
      issues: write
    env:
      GITHUB_TOKEN: ${{github.token}} # secret is set in job
    steps:
      - run: echo foo
      - run: gh label create bug

jobs:
  foo:
    runs-on: ubuntu-latest
    permissions:
      issues: write
    steps:
      - run: echo foo
      - run: gh label create bug
        env:
          GITHUB_TOKEN: ${{github.token}} # secret is set in step

How to fix

Set secrets to steps.

Why?

Secrets should be exposed to only necessary steps.

Exceptions

Job has only one step.

How to ignore the violation

We don't recommend, but if you want to ignore the violation of this policy, please configure it with the configuration file.

e.g.

ghalint.yaml

excludes:
  - policy_name: job_secrets
    workflow_file_path: .github/workflows/actionlint.yaml
    job_name: actionlint

policy_name, workflow_file_path, and job_name are required.