Mar 3
Loading video player...
CI/CD pipelines need secrets — API keys, tokens, and credentials — but storing those secrets directly in GitHub creates long-term risk. In this video, we show how to integrate Infisical with GitHub Actions using machine identities and OIDC authentication, so workflows can fetch secrets at runtime without storing static credentials in GitHub. Instead of relying on long-lived API keys or GitHub Secrets, workflows authenticate to Infisical based on verified workload identity — which repository is running, which workflow is executing, and what it’s allowed to access. We walk through how this model reduces secret sprawl, avoids “secret zero,” and provides a production-ready pattern for managing secrets securely in CI/CD pipelines. This is a concept-focused walkthrough intended for developers, DevOps, and platform engineers building or maintaining GitHub Actions workflows. Outline: Timestamps: 0:00 – Why CI/CD pipelines need secrets (and where things usually go wrong) 0:48 – The problem with secrets sprawl in GitHub Actions 2:12 – How a secrets manager fixes CI/CD secret sprawl 2:39 – The “secret zero” problem with static API keys 3:17 – Authenticating CI/CD securely with OIDC 3:40 – Setting up secrets and machine identities in Infisical 5:41 – Configuring GitHub Actions with OIDC (no stored secrets) 6:45 – How secrets are fetched and injected at runtime 8:26 – Running the workflow end-to-end (Docker push demo) 9:07 – Final recap: identity-based secrets at scale 📚 Documentation & References GitHub Actions Integration https://infisical.com/docs/integrations/cicd/githubactions OIDC Authentication with GitHub https://infisical.com/docs/documentation/platform/identities/oidc-auth/github Secrets Management Overview https://infisical.com/docs/documentation/platform/secrets-mgmt/overview Machine Identities (CI/CD & Workloads) https://infisical.com/docs/documentation/platform/identities/machine-identities Follow Infisical: • Website: https://infisical.com/ • LinkedIn: https://www.linkedin.com/company/infisical • GitHub: https://github.com/Infisical • Twitter / X: https://x.com/infisical • Slack: https://infisical.com/slack