"Minimize the use of long-term credentials" in CISA/NSA document: For software-to-software authentication, avoid using software-based long-term credentials as much as possible.
🔙 Go back to the list of tutorials
In this tutorial you will use the StepSecurity Actions Security GitHub App to view the list of all your GitHub Actions Secret names and Days Since Last Rotated. This will help you understsand which secrets should be rotated.
-
Add a GitHub Actions secret to your repository. Under your repository name, click Settings. In the
Securitysection of the sidebar, selectSecrets and variables``, then clickActions. Click the `Secretstab. Click `New repository secret`` and add a secret. You can add any name and value. -
Install the StepSecurity Actions Security GitHub App on your repository. You will get an email with a link to your dashboard.
-
Then go to the
Actions Secretstab in the dashboard. Here you will be able to view the secret name along withDays Since Last Rotated. Since this is a new secret, that value will be 0. You can try on your own repository where you had created secrets on an earlier date.
The App only needs
actions: readandsecrets metadata: readpermissions on your repositories.secrets metadata: readpermission only gives access to the list of GitHub Actions secret names (and not to the actual secret).