securing-github-actions-workflows

# Securing GitHub Actions Workflows ## When to Use - When GitHub Actions is the CI/CD platform and workflows need hardening against supply chain attacks - When workflows handle secrets, deploy to production, or have elevated permissions - When preventing script injection via untrusted PR titles, branch names, or commit messages - When requiring audit trails and approval gates for workflow modifications - When third-party actions pose supply chain risk through mutable version tags **Do not use** for securing other CI/CD platforms (see platform-specific hardening guides), for application vulnerability scanning (use SAST/DAST), or for secret detection in code (use Gitleaks). ## Prerequisites - GitHub repository with GitHub Actions enabled - GitHub organization admin access for organization-level settings - Understanding of GitHub Actions workflow syntax and events ## Workflow ### Step 1: Pin Actions to SHA Digests ```yaml # INSECURE: Mutable tag can be overwritten by attacker - uses: actions/checkout@v4 # SECURE: Pinned to immutable SHA digest - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Use Dependabot to auto-update pinned SHAs # .github/dependabot.yml version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" commit-message: prefix: "ci" ``` ### Step 2: Minimize GITHUB_TOKEN Permissions ```yaml # Set restrictive default permissions at workflow level name: CI Pipeli...