Skip to main content

Security Best Practices

Security is crucial when automating your Figma plugin deployment. This guide covers best practices to keep your deployment process secure.

Credential Management

GitHub Secrets

Always store sensitive information in GitHub Secrets:
  • FIGMA_EMAIL
  • FIGMA_PASSWORD
  • FIGMA_TOTP_SECRET
Never store these credentials in your repository files or expose them in logs.

Access Control

  1. Repository Access
    • Limit repository access to necessary team members
    • Use repository roles to control permissions
    • Regularly audit repository access
  2. Workflow Permissions
    • Configure minimal required permissions for workflows
    • Use environment protection rules
    • Enable required reviewers for protected environments

Dedicated Publishing Account

Following the principle of least privilege, we strongly recommend creating a dedicated Figma account for plugin publishing:
  1. Account Setup
    • Create a new Figma account using a company email
    • Use a strong, unique password
    • Enable two-factor authentication (mandatory for plugin publishing)
    • Document account details in a secure location
  2. Permission Configuration
    • Grant access only to plugin management features
    • Remove unnecessary team/organization access
    • Configure plugin-specific permissions only
  3. Access Management
    • Maintain a list of team members with access to this account
    • Implement a process for access revocation
    • Regularly review and update access permissions
    • Consider using a password manager for team access
  4. Security Considerations
    • Use this account exclusively for plugin publishing
    • Avoid using this account for design work or other Figma activities
    • Monitor account activity regularly
    • Update credentials if team members with access leave the organization
Never share this account’s credentials through unsecured channels like email or chat. Use a secure password manager or your organization’s secret management system.

Environment Configuration

Environment Protection

Set up protected environments in GitHub:
  1. Go to Repository Settings > Environments
  2. Create environments (e.g., staging, production)
  3. Configure protection rules:
    • Required reviewers
    • Wait timer
    • Deployment branches
Example environment configuration: 
name: Deploy to Production
on:
  push:
    tags:
      - "v*"

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: actions/checkout@v4
      # ... deployment steps

Secret Rotation

Implement regular credential rotation:
  1. Generate new credentials periodically
  2. Update GitHub Secrets
  3. Verify deployment after updates
  4. Remove old credentials

Secure Workflow Practices

Input Validation

Validate all inputs in your workflow: 
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Validate Inputs
        run: |
          if [[ ! ${{ github.ref }} =~ ^refs/tags/v ]]; then
            echo "Invalid tag format"
            exit 1
          fi

Dependency Security

  1. Action Versions
    • Pin action versions using SHA
    • Regularly update dependencies
    • Monitor security advisories
Example of pinned actions: 
steps:
  - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
  - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
  1. Dependency Scanning
    • Use GitHub’s dependency scanning
    • Implement automated security updates
    • Review dependency changes

Monitoring and Auditing

Workflow Logs

Monitor workflow execution:
  1. Review workflow logs regularly
  2. Set up notifications for failures
  3. Monitor unusual patterns
  4. Configure log retention policies

Audit Trail

Maintain deployment records:
  1. Use detailed commit messages
  2. Tag releases properly
  3. Document deployment issues
  4. Keep change logs updated

Common Security Issues

  • Check workflow logs for exposed secrets - Review public repository content
  • Monitor GitHub Security alerts
  • Review repository access regularly - Monitor workflow runs - Check deployment logs
  • Monitor dependency advisories - Update dependencies regularly - Review automated security updates

Security Checklist

Store credentials in GitHub Secrets
Configure protected environments
Implement secret rotation
Pin action versions
Monitor workflow logs
Regular security audits

Additional Resources

GitHub Security

GitHub Actions security guides

Figma Security

Figma security documentation