Github Actions

GitHub Actions Code Review Rules

Security (Critical)

• Pin actions to full commit SHA (not @v1 or @main)
• Use minimal permissions block (principle of least privilege)
• Never echo secrets or use them in URLs
• Use secrets.GITHUB_TOKEN instead of PATs when possible
• Audit third-party actions before use
• Review expressions (${{ }}) for injection risks; never interpolate untrusted user input
• Validate all inputs to reusable workflows and custom actions

Permissions