If you discover a security vulnerability, do not open a public issue. Instead:
- Email: security@swiftpay.finance
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We'll acknowledge receipt within 24 hours and provide a status update within 7 days.
- Encrypted at rest in GitHub's database
- Masked in logs — never shown in workflow output
- Scoped by environment — can restrict access by branch
- Auditable — access logged by GitHub
- No long-lived tokens stored in GitHub
- Temporary credentials issued per job
- Automatic expiration after job completes
- Fine-grained permissions via IAM roles
- Pinned exact versions in workflows
- Official actions only (Google, PyPA, AWS, etc.)
- Regular updates checked via Dependabot
- Source code reviewed before adding new actions
- GitHub's secret scanning enabled
- Pre-commit hooks block common patterns
.gitignoreprevents accidental commits
Organization → Settings → Secrets and variables → Actions → New repository secret
-
NPM_TOKEN— npm authentication tokenGet from: npm.com → Settings → Tokens → Create Token (Automation) Scope: Read and Publish -
AWS_ROLE_TO_ASSUME— ARN of OIDC-enabled IAM roleFormat: arn:aws:iam::ACCOUNT_ID:role/github-checkout-release Create in AWS IAM with OIDC trust policy -
AWS_S3_BUCKET— S3 bucket for IIFE hostingExample: cdn.swiftpay.finance
No secrets needed! PyPI uses GitHub OIDC trusted publishers.
PyPI Setup:
- Go to pypi.org → Account Settings → Publishing
- Add trusted publisher
- Choose GitHub → Enter repository details
AWS IAM → Idp → Add provider
{
"Provider": "token.actions.githubusercontent.com",
"Audience": "sts.amazonaws.com"
}Create IAM Role with trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:theigwe/swiftpay-finance:ref:refs/heads/*"
}
}
}
]
}Attach S3 policy to role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:PutObjectAcl"],
"Resource": "arn:aws:s3:::your-bucket/checkout/*"
}
]
}Repository → Settings → Security and analysis → Secret scanning → Enable
GitHub will:
- 🔍 Scan all commits for secrets
- 🚨 Alert on detected patterns
- 🔐 Block commits with high-confidence secrets
- Use GitHub Secrets for all sensitive values
- Use OIDC for cloud provider authentication
- Pin exact versions of GitHub Actions
- Review action source code before use
- Keep dependencies updated
- Rotate credentials regularly
- Monitor secret access logs
- Enable branch protection for main/dev
- Hardcode secrets in workflows
- Commit
.envfiles - Use personal access tokens (use OIDC instead)
- Store credentials in code comments
- Use old/unmaintained GitHub Actions
- Disable secret scanning
- Share credentials via Slack/Email
- Use
*permissions when specific ones exist
For each SDK release workflow:
-
NPM_TOKENconfigured and rotated annually -
AWS_ROLE_TO_ASSUMEARN correct and minimal permissions -
AWS_S3_BUCKETname correct and private policy set - OIDC trust policy matches GitHub repo
- Branch protection rules enabled
- Secret scanning enabled
- Dependabot alerts checked weekly
- Workflow logs reviewed for exposure
If a secret is accidentally exposed:
- Immediately revoke the token/credential
- Rotate new credentials (new npm token, new AWS role, etc.)
- Update GitHub Secrets with new values
- Check logs for unauthorized access
- Notify stakeholders as appropriate
- Document the incident and prevention steps
Contact: security@swiftpay.finance