Tweets by javapedia.net

Maven / GitHub Actions Interview Questions

How do you prevent secret exposure and follow security hardening best practices in GitHub Actions?

GitHub Actions workflows run code triggered by events — including potentially untrusted content from pull requests — so hardening them against secret exposure and code injection is essential.

1. Pin third-party actions to a full commit SHA. A mutable version tag like @v3 can be silently updated to inject malicious code. A SHA cannot be changed:

uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

2. Use minimum required permissions. Declare permissions: {} at the workflow level to deny everything, then grant only what specific jobs need:

permissions: {}
jobs:
  release:
    permissions:
      contents: write
      packages: write

3. Never interpolate untrusted input directly into run: scripts. Pull request titles, branch names, and issue bodies are attacker-controlled. This is vulnerable to shell injection:

# DANGEROUS — do not do this
- run: echo "PR title: ${{ github.event.pull_request.title }}"

Safe approach — pass through an environment variable:

- run: echo "PR title: $PR_TITLE"
  env:
    PR_TITLE: ${{ github.event.pull_request.title }}

4. Avoid pull_request_target unless you understand its risks. It runs in the base branch context with access to secrets, so executing checkout + build of the fork code is dangerous.

5. Use GitHub's security features alongside Actions:

Enable secret scanning to detect accidentally committed credentials
Use github/codeql-action for SAST in the CI pipeline
Enable Dependabot to auto-update action versions
Use environment protection rules (required reviewers) for production deployments

Why is passing untrusted GitHub event data (e.g. PR title) directly into a run: script using ${{ }} dangerous? It causes the step to fail silently

✗ Try again — not quite right.

It enables shell injection because ${{ }} expands the value before the shell parses it

✓ Well done — that is correct!

It exposes the GITHUB_TOKEN to the attacker

✗ Try again — not quite right.

It sends the value unencrypted over the network

✗ Try again — not quite right.

What is the most tamper-resistant way to reference a third-party action in a workflow? uses: owner/action@latest

✗ Try again — not quite right.

uses: owner/action@v3 with a changelog entry

✗ Try again — not quite right.

uses: owner/action@

✓ Well done — that is correct!

uses: owner/action@main

✗ Try again — not quite right.

Invest now in Acorns!!! 🚀 Join Acorns and get your $5 bonus!

Invest now in Acorns!!! 🚀
Join Acorns and get your $5 bonus!

Earn passively and while sleeping

Acorns is a micro-investing app that automatically invests your "spare change" from daily purchases into diversified, expert-built portfolios of ETFs. It is designed for beginners, allowing you to start investing with as little as $5. The service automates saving and investing. Disclosure: I may receive a referral bonus.

Invest now!!! Get Free equity stock (US, UK only)!

Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.

The Robinhood app makes it easy to trade stocks, crypto and more.

Webull! Receive free stock by signing up using the link: Webull signup.

More Related questions...

What is GitHub Actions and what problems does it solve? What are the key components of GitHub Actions — workflows, jobs, steps, actions, and runners? How is a GitHub Actions workflow file structured, and where must it be placed? What are workflow triggers (on:) and which event types does GitHub Actions support? What is the difference between push, pull_request, and workflow_dispatch triggers? What are jobs in GitHub Actions, and how do they run in parallel by default? What are steps, and what is the difference between run: and uses: in a step? What are runners, and what is the difference between GitHub-hosted and self-hosted runners? What is the GitHub Actions Marketplace and how do you find and use actions from it? How do you use the actions/checkout action and what does it do? How do you pass environment variables and secrets to a GitHub Actions workflow? What is the difference between the env:, secrets:, and vars: contexts in GitHub Actions? How do you cache dependencies in GitHub Actions using actions/cache? How do you use matrix builds in GitHub Actions to test across multiple environments? How do you control job execution order in GitHub Actions using needs:? How do you share data between steps within a job using step outputs? How do you share build artifacts between jobs using actions/upload-artifact and actions/download-artifact? What are reusable workflows in GitHub Actions and how do you call them? What are composite actions and when should you choose them over reusable workflows? How do you set up a Docker container service for integration tests using services: in GitHub Actions? How do you use conditional steps with if: in GitHub Actions? What are the key GitHub Actions expression contexts and what information does each provide? How do you use concurrency groups to cancel outdated workflow runs in GitHub Actions? What is the GITHUB_TOKEN and what permissions does it have? How do you trigger one GitHub Actions workflow from another using workflow_run? How do you write a custom JavaScript action for GitHub Actions? How do you write a custom Docker container action for GitHub Actions? How do you implement a complete CI/CD pipeline for a container image in GitHub Actions — build, push to a registry, and deploy? How do you implement path filtering so a workflow only runs when specific files change? How do you debug failing GitHub Actions workflows — enabling debug logging and using tmate? How do you implement branch protection rules with required GitHub Actions status checks? How do you handle large monorepos with multiple services in GitHub Actions? What are OpenID Connect (OIDC) tokens in GitHub Actions and how do they replace long-lived cloud credentials? How do you prevent secret exposure and follow security hardening best practices in GitHub Actions? What are the key differences between GitHub Actions, Jenkins, and GitLab CI?

Show more question and Answers...

GitOps Interview Questions

Comments & Discussions

Maven Interview questions 43 Maven Interview questions II 46 Gradle interview questions 31 GIT Interview Questions 46 DEVOPS Interview questions 4 Jenkins Interview questions 22 AppDynamics Interview questions 8 Ansible Interview questions 1 GitHub Actions Interview Questions 35 GitOps Interview Questions 35

Recently added...

How does Argo CD's sync process work — desired state vs live state?

How does image automation work in Flux for continuous delivery?

How does GitOps improve security and auditability compared to script-based deployments?

What is Argo CD and how does it implement GitOps?

What is Flux CD and how does it differ from Argo CD?

How do you handle multiple environments (dev/staging/prod) in a GitOps repo?

What is the 'single source of truth' principle in GitOps?

What is declarative infrastructure and why does GitOps require it?

What is drift detection and how does a GitOps operator handle drift?

What is the difference between GitOps and Infrastructure as Code (IaC)?

What are Argo CD Applications and ApplicationSets?

How do you structure a GitOps repository — app-of-apps, environment folders, overlays?

How does Flux's source-controller and kustomize-controller work together?

How do you manage secrets in a GitOps workflow — Sealed Secrets, SOPS, External Secrets Operator?

What is GitOps and what core principles does it define?

How does GitOps differ from traditional CI/CD pipelines?

What are the two GitOps deployment models: push-based vs pull-based?

What is a GitOps operator and what role does it play?

What Git branching strategies are commonly used with GitOps?

What are Argo CD sync policies — automated vs manual — and sync waves?

	Interviews Questions Java Spring Hibernate Maven Testing API BigData Web DataStructures AI Database MuleESB Cloud Scala Tools	About Javapedia.net Javapedia.net is for Java and J2EE developers, technologist and college students who prepare of interview. Also this site includes many practical examples. This site is developed using J2EE technologies by Steve Antony, a senior Developer/lead at one of the logistics based company.
	contact: javatutorials2016[at]gmail[dot]com
Kindly consider donating for maintaining this website. Thanks.
	Copyright © 2026, javapedia.net, all rights reserved. privacy policy.