You can safely do this, at least with GitHub Actions. Here’s what I’ve done:
- Keep the AWS creds as secret vars, stored in the repo settings
- Trigger the deploy job only from
- Protect the
develop branches (Git Flow)
In GitHub Actions, with this scenario , it will use the AWS creds stored in the repo only when the job is run against the repo. If the job is run against a PR, it uses the AWS creds stored in the forked repo, thus not using your credentials, but instead using the contributor’s. So if the contributor is malicious and tries to print your creds by changing the job (workflow) and submitting a PR, they will only shoot themselves in the foot because it would print their own.
I haven’t tested this in GitLab yet, but I expect it would run the same. You can run a test to see how secret/protected variables are handled in GitLab, and if they get printed, which vars get printed. If the job gets triggered on a MR, it should expect those variables to be declared in the fork. if they are not, the job should fail. Be careful though, this last statement is a two edged blade. Do some experiments before you go to prod.