The credentials, signatures, and pipeline controls that secure a repository end to end — from how you authenticate and prove authorship to scoping Actions, scanning for leaks, signing releases, and administering access at scale.
6 topics
Security on GitHub is not one feature but a chain, and a chain is only as strong as its weakest link. This chapter walks that chain from the credential you authenticate with, through the signature that proves you wrote a commit, into the workflow that runs third-party code with a token, and out to the artifact a stranger downloads and trusts.
The recurring theme is least privilege and verifiable trust: scope every credential as narrowly as it can do its job, prove identity with cryptography rather than free-text fields, and make every gate — scanning, signing, branch protection — a check that actually blocks rather than a dashboard nobody reads.
Defense in depth, top to foundation
Provenance & signed releases
Link each shipped artifact to its source commit so downloaders can verify it.
Dependency & secret scanning
Catch vulnerable packages and leaked credentials before they reach main.
Least-privilege token + OIDC
Scope GITHUB_TOKEN narrowly and mint short-lived cloud credentials, no stored keys.
Commit signing
Bind authorship to a key with cryptography instead of a free-text email field.
Authentication
SSH keys and scoped tokens — the credential every other control builds on.