When to Use

When GitHub Actions is the CI/CD platform and workflows need hardening against supply chain attacks
When workflows handle secrets, deploy to production, or have elevated permissions
When preventing script injection via untrusted PR titles, branch names, or commit messages
When requiring audit trails and approval gates for workflow modifications
When third-party actions pose supply chain risk through mutable version tags

Do not use for securing other CI/CD platforms (see platform-specific hardening guides), for application vulnerability scanning (use SAST/DAST), or for secret detection in code (use Gitleaks).

Prerequisites

GitHub repository with GitHub Actions enabled
GitHub organization admin access for organization-level settings
Understanding of GitHub Actions workflow syntax and events

Workflow

Step 1: Pin Actions to SHA Digests

When to Use

When GitHub Actions is the CI/CD platform and workflows need hardening against supply chain attacks
When workflows handle secrets, deploy to production, or have elevated permissions
When preventing script injection via untrusted PR titles, branch names, or commit messages
When requiring audit trails and approval gates for workflow modifications
When third-party actions pose supply chain risk through mutable version tags

Do not use for securing other CI/CD platforms (see platform-specific hardening guides), for application vulnerability scanning (use SAST/DAST), or for secret detection in code (use Gitleaks).

Prerequisites

GitHub repository with GitHub Actions enabled
GitHub organization admin access for organization-level settings
Understanding of GitHub Actions workflow syntax and events

Securing Github Actions Workflows

When to Use

Prerequisites

Workflow

Step 1: Pin Actions to SHA Digests

Securing Github Actions Workflows

When to Use

Prerequisites

Workflow

Step 1: Pin Actions to SHA Digests

Openclaw Ghsa Maintainer

Gh Issues

Security Triage

Github

Author Contributions

Repository Setup