gha-security-review

<!-- Attack patterns and real-world examples sourced from the HackerBot Claw campaign analysis by StepSecurity (2025): https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation --> # GitHub Actions Security Review Find exploitable vulnerabilities in GitHub Actions workflows. Every finding MUST include a concrete exploitation scenario — if you can't build the attack, don't report it. This skill encodes attack patterns from real GitHub Actions exploits — not generic CI/CD theory. ## When to Use - You are reviewing GitHub Actions workflows for exploitable security issues. - The task requires tracing a concrete attack path from an external attacker to workflow execution or secret exposure. - You need a security review of workflow files, composite actions, or workflow-related scripts with evidence-based findings only. ## Scope Review the workflows provided (file, diff, or repo). Research the codebase as needed to trace complete attack paths before reporting. ### Files to Review - `.github/workflows/*.yml` — all workflow definitions - `action.yml` / `action.yaml` — composite actions in the repo - `.github/actions/*/action.yml` — local reusable actions - Config files loaded by workflows: `CLAUDE.md`, `AGENTS.md`, `Makefile`, shell scripts under `.github/` ### Out of Scope - Workflows in other repositories (only note the dependency) - GitHub App installation permissions (note if relevant) ## Threat Model Only report vulnerabilities exploitable by an **e...