GitHub Actions Security Checklist for Supply Chain Attacks
8 hours ago
- #CI/CD Hardening
- #GitHub Actions
- #Supply Chain Security
- Set default GITHUB_TOKEN permissions to read-only to enforce least privilege.
- Pin third-party actions to full commit SHAs, not tags or branches, to prevent mutable dependency risks.
- Avoid pull_request_target for public repos and treat user inputs as untrusted to prevent code execution.
- Use OIDC for cloud access instead of long-lived static secrets to reduce exposure.
- Restrict workflow permissions, secure triggers, and prevent script injection from untrusted data.
- Harden runners, secure artifacts/caches, and implement continuous detection for workflow risks.
- Follow a rollout plan: inventory workflows, apply org defaults, fix high-risk patterns, and monitor continuously.