How to manage workflow secrets rotation and audit in GitHub Actions
secret rotation strategy, secret expiration, audit log, GITHUB_TOKEN expiry, environment secret vs repo secret, secret scanning, leaked credential response
Secret Hygiene
Secrets are not set-and-forget. Leaked, expired, or over-scoped credentials cause incidents. Establish a rotation policy before going to production.
Rotation Best Practices
Rotate secrets on a schedule (every 90 days for service account keys). Use short-lived credentials with OIDC where available โ they rotate automatically. Create machine accounts (bot users) with minimum required permissions rather than using personal access tokens tied to a human account that might leave the organization.
Detecting Leaked Secrets
Enable GitHub Secret Scanning in Settings โ Security. It scans commits for patterns matching known secret formats (AWS keys, Stripe keys, etc.) and notifies you or blocks the push with push protection enabled.
# In GitHub Settings โ Code security and analysis:
# Secret scanning: Enabled
# Push protection: Enabled (blocks pushes that contain secrets)Responding to a Leak
If a secret is exposed: immediately revoke and rotate the credential at the source (AWS, Stripe, etc.), update the GitHub Secret with the new value, audit the GitHub Actions audit log (Settings โ Audit log) to check if the secret was used in unexpected workflows, and investigate whether the leaked credential was exfiltrated. Rotating the GitHub Secret without revoking the underlying credential does not fix the exposure.