React SPA Security & GitHub Pages Deployment #814

uyriq · 2025-01-13T19:40:47Z

uyriq
Jan 13, 2025

This post concerns a React Single Page Application deployed to GitHub Pages using:

React 18
GitHub Actions for CI/CD
GITHUB_TOKEN with 'no permissions' for authorize access to https://models.inference.ai.azure.com

// filepath: .env
REACT_APP_OPENAI_API_KEY=mykey        // ❌ Exposed in bundle
REACT_APP_GITHUB_TOKEN=GITHUB_TOKEN    // ⚠️ Limited exposure risk

is this true or false?

what can be done bad with GITHUB_TOKEN from react bundle?

Comment below with specific use cases or security concerns!