[Improvement]: Recommend protection rules when environments are used …

…in workflows and OIDC policies (#46577)
JonnyZockt · Nov 27, 2023 · 6d54fb6 · 6d54fb6
1 parent 1154921
commit 6d54fb6
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 5 deletions.
diff --git a/...hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/...hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -65,11 +65,7 @@ Edit the trust policy, adding the `sub` field to the validation conditions. For
 
 If you use a workflow with an environment, the `sub` field must reference the environment name: `repo:OWNER/REPOSITORY:environment:NAME`. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)."
 
-{% note %}
-
-**Note**: When using an environment in a workflow it is strongly recommend to protect access by configuring deployment protection rules. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules)."
-
-{% endnote %}
+{% data reusables.actions.oidc-deployment-protection-rules %}
 
 ```json copy
 "Condition": {

diff --git a/...ment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md b/...ment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md
@@ -58,6 +58,8 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 1. Add permissions settings for the token.
 1. Use the [`azure/login`](https://github.com/Azure/login) action to exchange the OIDC token (JWT) for a cloud access token.
 
+{% data reusables.actions.oidc-deployment-protection-rules %}
+
 ### Adding permissions settings
 
  {% data reusables.actions.oidc-permissions-token %}

diff --git a/...ity-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md b/...ity-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md
@@ -33,6 +33,8 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 
 If your cloud provider doesn't yet offer an official action, you can update your workflows to perform these steps manually.
 
+{% data reusables.actions.oidc-deployment-protection-rules %}
+
 ### Adding permissions settings
 
  {% data reusables.actions.oidc-permissions-token %}

diff --git a/...rdening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md b/...rdening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md
@@ -45,6 +45,8 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 1. Add permissions settings for the token.
 1. Use the [`google-github-actions/auth`](https://github.com/google-github-actions/auth) action to exchange the OIDC token (JWT) for a cloud access token.
 
+{% data reusables.actions.oidc-deployment-protection-rules %}
+
 ### Adding permissions settings
 
  {% data reusables.actions.oidc-permissions-token %}

diff --git a/...ity-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md b/...ity-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md
@@ -93,6 +93,8 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 1. Add permissions settings for the token.
 1. Use the [`hashicorp/vault-action`](https://github.com/hashicorp/vault-action) action to exchange the OIDC token (JWT) for a cloud access token.
 
+{% data reusables.actions.oidc-deployment-protection-rules %}
+
 To add OIDC integration to your workflows that allow them to access secrets in Vault, you will need to add the following code changes:
 
 - Grant permission to fetch the token from the {% data variables.product.prodname_dotcom %} OIDC provider:

diff --git a/...yment/security-hardening-your-deployments/configuring-openid-connect-in-pypi.md b/...yment/security-hardening-your-deployments/configuring-openid-connect-in-pypi.md
@@ -47,6 +47,8 @@ To use OIDC with PyPI, add a trust configuration that links each project on PyPI
 
 Once your trusted publisher is registered on PyPI, you can update your release workflow to use trusted publishing.
 
+{% data reusables.actions.oidc-deployment-protection-rules %}
+
 The [`pypa/gh-action-pypi-publish`](https://github.com/marketplace/actions/pypi-publish) action has built-in support for trusted publishing, which can be enabled by giving its containing job the `id-token: write` permission and omitting `username` and `password`.
 
 The following example uses the `pypa/gh-action-pypi-publish` action to exchange an OIDC token for a PyPI API token, which is then used to upload a package's release distributions to PyPI.

diff --git a/data/reusables/actions/oidc-deployment-protection-rules.md b/data/reusables/actions/oidc-deployment-protection-rules.md
@@ -0,0 +1,5 @@
+{% note %}
+
+**Note**: When environments are used in workflows or in OIDC policies, we recommend adding protection rules to the environment for additional security. For example, you can configure deployment rules on an environment to restrict which branches and tags can deploy to the environment or access environment secrets. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules)."
+
+{% endnote %}