Hardcoding credentials (passwords) in GitHub Actions workflow container or services configurations embeds secrets directly in the repository source code. Anyone with read access to the repository can see these credentials.
Use encrypted secrets instead of hardcoded credentials.
jobs:
test:
runs-on: ubuntu-latest
container:
image: registry.example.com/app
credentials:
username: user
password: hackme
steps:
- run: echo 'hello'jobs:
test:
runs-on: ubuntu-latest
container:
image: registry.example.com/app
credentials:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
steps:
- run: echo 'hello'- GitHub Docs: Using encrypted secrets in a workflow.
- Zizmor: hardcoded-container-credentials.