Tightening up security when using dbt-core with GitHub actions

The problem I’m having

We want to use GitHub actions to schedule dbt (i.e., dbt run ) but we don’t want to allow other (non dbt) steps in the action to access our database.

What I’ve already tried

We’ve implemented this using the action “mwhitaker/dbt-action@master”, which requires the secrets to be held in GitHub and published into the environment of the runner.

The problem I’m trying to overcome

This approach works fine but it allows developer to add other steps that can use these crednetial to access the database and extract data.

Is there another approach where only dbt can access the credentials.

The readme notes that:

you can call this action with a specific release, eg mwhitaker/dbt-action@v0.21.0 or mwhitaker/dbt-action@v0.19.1

If you did this, you would also know that the release only contains the steps you see today.

If you’re using the action, you implicitly have to trust that the developer isn’t going to misuse those credentials. You could instead use dbt Cloud for your orchestration, and either use its built-in scheduler (no GHA at all) or trigger a dbt Cloud run from a GHA instead (you would still need to provide a dbt Cloud API key to GitHub, but it wouldn’t be your database credentials which might be preferable).

Or you could fork the action and use your own copy of it?