GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions

GitHub/Repository Security/GitHub Workflows & Actions (view source)

249 bytes added , 11 July 2024

updated with 'actions/checkout' tip

Confirmed users

1,364

edits

@@ Line 15: / Line 15: @@
 #* Use mitigations where appropriate.
 # As always, enforce “least privilege” wherever possible.
+#* Explicitly set "<code>persist-credentials: false</code>" when using the "<code>actions/checkout</code>" action. (Prevent hidden state.)
 == Resources and tools ==
@@ Line 23: / Line 25: @@
 * Read GitHub’s [https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions security hardening for actions].
-* Always reduce permissions to the minimum needed, using the [https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defining-access-for-the-github_token-scopes <code>permissions</code> parameter]
+* Always reduce permissions to the minimum needed, using the [https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defining-access-for-the-github_token-scopes <code>permissions</code> parameter]. ([https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ more info])
 * More details on how those vulnerabilities work, in a 3 part section from github:
 ** [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Part 1] - Preventing Pwn requests