Confirmed users
7
edits
GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions
GitHub/Repository Security/GitHub Workflows & Actions (view source)
Revision as of 16:25, 21 March 2025
, 21 MarchJust changing the spacing on the page
(Needed to update and add the bulletpoints) |
m (Just changing the spacing on the page) |
||
| Line 19: | Line 19: | ||
# When configuring automatic merging or making exceptions in the workflow for Dependabot, make sure to validate the user and not the actor in the Github action. | # When configuring automatic merging or making exceptions in the workflow for Dependabot, make sure to validate the user and not the actor in the Github action. | ||
#* Use the check "<code>github.event.pull_request.user.login == 'dependabot[bot]'</code>" instead of "<code>github.actor == 'dependabot[bot]'</code>" | #* Use the check "<code>github.event.pull_request.user.login == 'dependabot[bot]'</code>" instead of "<code>github.actor == 'dependabot[bot]'</code>" | ||
'''Additionally''', following a recent supply-chain attack involving the '''reviewdog/action-setup''' GitHub Action (March 2025), it is strongly recommended to: | '''Additionally''', following a recent supply-chain attack involving the '''reviewdog/action-setup''' GitHub Action (March 2025), it is strongly recommended to: | ||
| Line 27: | Line 26: | ||
* Immediately rotate any credentials (such as Personal Access Tokens, API keys, or other secrets) if you suspect exposure. | * Immediately rotate any credentials (such as Personal Access Tokens, API keys, or other secrets) if you suspect exposure. | ||
* Promptly update any third-party actions to their latest patched versions, and verify their integrity before use. | * Promptly update any third-party actions to their latest patched versions, and verify their integrity before use. | ||
== Resources and tools == | == Resources and tools == | ||